Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: In a word, destructive, the tale of W32/Scar-H

06 May 2010   #1

Win 7 Ultimate 64-bit. SP1.
In a word, destructive, the tale of W32/Scar-H

Very rarely nowadays do we find a piece of malware whose sole intent and purpose is to destroy the victim computer. W32/Scar-H is an example of one of those über twisted malware which in the literal sense detonates a bomb on the victim.

At first glance W32/Scar-H is like any ordinary Autorun worm making its way from victim to victim. When first run it creates the following files:
<System>\ntldr.exe (copy of self)
<Root>\WinNT.exe (copy of self)
It spreads to any device that is mapped to a drive letter by creating the following files with the hidden attribute set on the created files:
<Root>\WinNT.exe (copy of self)
<Root>\AutoRun.inf (to execute WinNT.exe when the drive is accessed)
Here is where the rampage begins. W32/Scar-H will systematically replace all files in the C: drive ending with the extension .exe with a copy of itself starting with the files in the <System> directory. The filenames of the replaced files will remain unchanged. These unchanged filenames add to the explosive mixture.

With all these file replacements going on in the C: drive, an application crash is a guaranteed event. The default debugger on Windows is <System>\Drwtsn32.exe which captures a crash log and process dump file to be submitted as an error report to Microsoft optionally. W32/Scar-H has already conveniently replaced Drwtsn32.exe with a copy of itself. So every time Windows calls Drwtsn32.exe to handle an exception, another W32/Scar-H processes gets created by Windows. This calling of Drwtsn32.exe carries on recursively and indefinitely till the victim computer becomes completely non-responsive.
In a word, destructive, the tale of W32/Scar-H | SophosLabs blog

My System SpecsSystem Spec

06 May 2010   #2
Microsoft MVP

Windows 7 Ultimate 32bit SP1

That's a wipe and clean install time ... don't even try to clean it up.

Translated by Google:
My System SpecsSystem Spec
07 May 2010   #3

Windows XP - Now Windows 7 Home Premium (64-bit).

My System SpecsSystem Spec

07 May 2010   #4

Windows 7 64x

Quote   Quote: Originally Posted by Jacee View Post
That's a wipe and clean install time ... don't even try to clean it up.

Translated by Google:
Google Translate
Yeap! Damage is pretty much done if it finds it's way in undetected.
My System SpecsSystem Spec
07 May 2010   #5

Windows 7 Ultimate 32 bit

Ouch! That one is nasty!
My System SpecsSystem Spec
07 May 2010   #6

Windows 7 Home Premium x64 SP1

If someone is affected by that virus, it's an imminent format, yes, but what if he wants to save his data? Man... the computer that will receive the infected drive really needs to be well protected and autorun is set to off >_<

Or on Linux? Well, Linux in that case would be a savior. Or a Mac with a software to read NTFS partitions/hard drives.

Otherwise, if you get that virus, you are pretty much screwed... and your other hard drives along if they have .exes.
My System SpecsSystem Spec
07 May 2010   #7

Windows 7 Ultimate 32 bit

A good reason to keep you data separate from your OS and programs.
My System SpecsSystem Spec
07 May 2010   #8

64-bit Windows 8.1 Pro

A better reason to regularly image your system drive....
My System SpecsSystem Spec

 In a word, destructive, the tale of W32/Scar-H

Thread Tools

Similar help and support threads
Thread Forum
BSOD during Non-Destructive Reinstall
I was having random reboots on my Win7 SP1 system (ASUS Sabertooth 990FX, AMD Phenom II X6 1100T, 8GB RAM, NVIDIA GeForce GTX 560 1GB and Crucial M4 256GB SSD); I would leave the system for 20 minutes or so and come back to find it had recovered from some sort of issue and rebooted. The system also...
BSOD Help and Support
Tale of the magnetic tape: 60 years at IBM
Read/See More: Tale of the magnetic tape: 60 years at IBM | ZDNet
Chillout Room
A tale of two old machines... to upgrade or not ?
Hello all, newbie to this forum but it looks like the right place. I've got two old machines at home that I use for basic stuff, and I've been holding out for a long time but it seems like I may have to upgrade. So I want to see if it's worth it to upgrade one or both to Windows 7 or not. Or...
Hardware & Devices
System Restore failure - yet another tale of woe!!
OK, I've seen loads of posts by people who have lost their system restore and I have tried all suggestions but still have the following problem: I can create a System Restore point OK but when I try and roll back to a previous point, it goes through the motions and when the desktop screen reappears...
Backup and Restore
HP Laptop Non-destructive recovery?
I am working an HP Pavilion Entertainment PC laptop w/ Win7 pre-installed. It is having some lock up issues, somewhat resolved after removing Mcafee Av, but still tends to freeze up at times. The user had several registry cleaners on it and I think between those two it still has some registry...
Installation & Setup
Non Destructive Rebuilds
Hi all - my first message here so be nice :) Anyway, I haven't had much chance to play with W7 yet but some of my friends have and they are far less techy than I. What this boils down to is that I get all their tech support queries and I'm just trying to prep for the day ... So, with XP one...
Installation & Setup

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 12:15.

Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App