Iranian CERT is sounding the alarm over another bit of data-deleting malware it's discovered on PCs in the country. Dubbed Batchwiper, the malware systematically wipes any drive partitions starting with the letters D through I Drive, along with any files stored on the Windows desktop of the user who is logged in when it's executed
Why naming Batchwiper ? The name was chosen because the malware is packed in a batch file.
The malware initiates its data wiping routine on certain dates, the next one being Jan. 21 2013. However, the dates of Oct. 12, Nov. 12 and Dec. 12, 2012, were also found in the malware's configuration, suggesting that it may have been in distribution for at least two months.
GrooveMonitor.exe is the original dropper, which is a self-extracting RAR file, once executed it extracts the following files:
-- \WINDOWS\system32\SLEEP.EXE, md5: ea7ed6b50a9f7b31caeea372a327bd37
-- \WINDOWS\system32\jucheck.exe, md5: c4cd216112cbc5b8c046934843c579f6
-- \WINDOWS\system32\juboot.exe, md5: fa0b300e671f73b3b0f7f415ccbe9d41
Then juboot.exe is executed, which create and execute following batch file :
\Documents and Settings\%User%\Local Settings\Temp\1.tmp\juboot.bat
According to the Iranian CERT advisory, "However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks."
In past, Iran has accused the US and Israel of being behind the Flame attack as well as the Stuxnet virus. Such attacks are seen as en effort to cripple the Islamic Republic's nuclear program, which Western countries fear is being used to make a bomb.
About the author