Video Screencast Help
Security Response

Different Wipers Identified in South Korean Cyberattack

Created: 23 Mar 2013 01:36:26 GMT • Updated: 23 Jan 2014 18:08:41 GMT • Translations available: 日本語
Symantec Security Response's picture
+3 3 Votes
Login to vote

Our analysis of Trojan.Jokra, the threat which recently caused major outages within the Korean Broadcasting and Banking sectors, has produced another wiper.

Security researchers the past few days have been discussing the wiper component found in this Trojan, specifically different wiper versions and the timings involved. We have seen the following strings used in four different variants:

  • HASTATI and PR!NCPES in combination

Three wipers are packaged as a position-independent executable (PIE) and a fourth as a dynamic-link library (DLL) injection. There are also some differences in regard to the timing.


Table. Trojan.Jokra wipers

Two of the wipers were instructed to immediately wipe upon execution. Another was instructed to wipe specifically at 2 PM on March 20, 2013. We have recently come across another sample (530c95eccdbd1416bf2655412e3dddb) that wipes at 3 PM on March 20, independent of year.


Figure. Trojan.Jokra wiper countdown

To ensure that your machine is protected from Trojan.Jokra and other threats, please ensure that your computer has the latest patches installed and that you have the most up-to-date antivirus definitions installed.