Doc ID                : ADV274
Version              : 3.0
Status                : Published
Published date : 2/07/2017
Categories  : Foxboro Evo
Last Modified date :  

Customer Advisory
W32/DistTrack Worm CyberSecurity Threat
February 04, 2017

Schneider Electric is committed to ensuring that our customers and employees are kept current on issues that might affect or improve product, system or process operation. We are dedicated to providing product and application reliability, and exceptional client service. 

Customer Advisories are intended to inform you of the possibility of a situation occurring at system installations, and the identified resolution. Schneider Electric recommends that our customers consider taking action to help prevent occurrence of the identified situation during your production process.

Security Vulnerability:

We have become aware of new variations of the Win32/DistTrack malware that had been originally identified in 2012.  As of February 3, 2017, no Foxboro Evo or I/A Series Systems have been affected by these new variations of the DistTrack malware.  We want to make our customers aware of this recent development so that appropriate protections can be put in place.  We strongly advise customers to take note of the actions recommended, to test such actions or patches on non-production systems as able, prior to deployment into production environments. This approach is recommended in order to minimize risk and exposure to announced vulnerabilities.

Severity:  Extreme

Once infected, the malware uses worm tactics to spread quickly throughout the network. The probability of a workstation or server being rendered useless is high.


This advisory applies to all Foxboro Evo Process Automation Systems and I/A Series systems users:


On January 31, 2017, the Schneider Electric Process Automation Security Team discovered that the default credentials to the Standard (non-secure) edition of Foxboro Evo are included in multiple versions of the Win32/DistTrack malware. Win32/DistTrack is an information-stealing worm malware that has extremely destructive behavior. Machines infected by it are rendered useless because most of the files, the Master Boot Record (MBR), and the partition tables are overwritten with random data. The overwritten data is lost and is not recoverable. The system is rendered unbootable.  This family of malware was responsible for the Shamoon attacks in 2012, widely considered to be among the most destructive attacks on private enterprises ever; see Joint Security Awareness Report (JSAR-12-241-01B).


The malware is downloaded as a secondary payload from a W97M/Downloader infection. Targeted users receive a MS Word document with malicious macros. When opening the document, an image is shown to the user informing them that the document cannot be loaded if the users do not enable macros.  Again, there are no known exploits of this vulnerability on Foxboro Evo or I/A Series systems at this time.


Immediate actions to take:

There are several lines of defense against malware attacks such as this.  To protect your workstations and servers against viruses and malware:


For those customers who are using the Secure edition of Foxboro Evo with McAfee security tools:


Safe Practices

Exercising safe, sound cyber practices are essential to limit potential attack vectors.


If you have any questions regarding this article, please contact your local Service Representative or a Schneider Electric Support Center at:  
GCS Center America's GCS Asia Pacific GCS EMEA GCS
Location Foxboro MA USA Shanghai Baarn NL
Phone +1-866-746-6477 +86 21 37180086  +31-3554-84125
Internationally +1-508-549-2424    
Fax +1-508-549-4999 +86 21 37180196 +31-3554-84230
Email America's GCS Asia Pacific GCS EMEA GCS


John Petty
Global Customer Support

Distribution to Schneider Electric Customers and Internal Personnel Only
All trademarks are registered to their respective owners.
All brand names are property of their respective owners.


2017004abi Rev 2