Symantec recently identified a database-corrupting piece of malware targeting systems mostly in Iran, but despite early speculation that it could be related to the likes of Stuxnet and Flame, it appears to be targeting small businesses rather than the country’s infrastructure.
Malware Dubbed W32.Narilam, is predominantly active in the Middle East, and it has also been detected in the USA and UK. The worm looks for particular words in Microsoft SQL databases and overwrites them.
The worm specifically targets SQL databases with three distinct names, alim, maliran, and shahd. Once the targeted databases are found, Narilam looks for specific objects and tables and either deletes the tables or replaces items with random values.
On Monday an alert was published on tarrahsystem.com warning of the W32.Narilam threat to its customers. The bulk of the infections thus far have been found in the Middle East, particularly Iran and Afghanistan.
Kaspersky Lab took issue with reports based on Symantec’s claim that Narilam was built using Delphi. “We’ve analysed the sample and found no obvious connection with these. Duqu, Stuxnet, Flame and Gauss have all been compiled with versions of Microsoft Visual C, while Narilam was built with Borland C++ Builder 6 (and not Delphi, as other articles seem to suggest), a completely different programming tool.”
Iran’s Computer Emergency Response Team issued a statement calling Narilam unsophisticated and “has no sign of a major threat.” In fact, Iran’s CERT said it had been previously detected in 2010 and targets accounting software developed by an Iranian company used by small businesses.