Another data-wiping malware program found in Iran

New malware Batchwiper is unsophisticated, but can cause a lot of damage, researchers say

A new piece of malware that deletes entire partitions and user files from infected computers has been found in Iran, according to an alert issued Sunday by Maher, Iran's Computer Emergency Response Team Coordination Center (CERTCC).

Maher Center described the new threat as a targeted attack, but said that it has a simple design and is not similar to other sophisticated targeted attacks previously seen in the region. "Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software," the center said in its advisory.

Several security companies have confirmed Maher's findings and said the threat is unsophisticated.

The malware is designed to delete all data from disk partitions identified with letters D to I, as well as files located on the desktop of the currently logged in user, security researchers from antivirus vendor Symantec said Monday in a blog post.

The malware initiates its data wiping routine on certain dates, the next one being Jan. 21 2013. However, the dates of Oct. 12, Nov. 12 and Dec. 12, 2012, were also found in the malware's configuration, suggesting that it may have been in distribution for at least two months.

The Maher Center said the malware's installer, also known as the dropper, is called GrooveMonitor.exe. That filename was likely chosen as a disguise because it is normally associated with a legitimate Microsoft Office 2007 document collaboration feature called Microsoft Office Groove.

According to an analysis of the new threat by researchers from security firm AlienVault, when the installer is executed, it adds a registry entry that ensure the malware's persistence across system reboots and creates a Windows batch file containing the data wiping routine.

Because of its use of batch files -- script files to be executed by the Windows shell program -- the malware has been dubbed "Batchwiper."

It's not clear how the malware is being distributed. The dropper could be deployed using several vectors, ranging from spearphishing emails, infected USB drives, some other malware already running on computers, or an internal actor uploading it to network shares, AlienVault Labs manager Jaime Blasco said via email.

Despite the fact that this malware is not sophisticated, if its wiping routines are executed, it can do a lot of damage, Blasco said.

Batchwiper is not the first data wiping malware found in the Middle East. Earlier this year, an investigation into a mysterious piece of malware that reportedly destroyed data from Iranian energy sector servers led to the discovery of the Flame cyberespionage threat.

In August, security researchers identified another unrelated piece of malware with data wiping capabilities called Shamoon. The malware is believed to have been used in an attack against Saudi Aramco, Saudi Arabia's national oil company, and affected of thousands of computer systems.

"Kaspersky Lab is currently researching the latest form of data wiping malware that was reported on December 16, 2012 by the Iranian Maher CERT," a representative of Kaspersky Lab said Monday via email. "Preliminary analysis suggests the malware is unsophisticated and does not appear to be related to the Wiper or Shamoon/DistTrack malware from earlier this year."

The malware nonetheless points to a trend of destructive code being used in the Middle East region.

"I do agree that this is not common in other parts of the world, and it can suggest that in the Middle East it might be easier for attackers to decide to take such actions to cover their tracks," Aviv Raff, chief technology officer of Israel-based IT security firm Seculert said via email. Seculert researchers have analyzed Batchwiper and confirm that it doesn't appear to have any direct connection to Shamoon, he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwaresymanteckaspersky labSeculertAlienVault

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Family Friendly

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Stocking Stuffer

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?