The Hacker News Logo
Subscribe to Newsletter

Batchwiper malware, new virus targets Iranian computers

Iranian CERT is sounding the alarm over another bit of data-deleting malware it's discovered on PCs in the country. Dubbed Batchwiper, the malware systematically wipes any drive partitions starting with the letters D through I Drive, along with any files stored on the Windows desktop of the user who is logged in when it's executed

Why naming Batchwiper ? The name was chosen because the malware is packed in a batch file.

The malware initiates its data wiping routine on certain dates, the next one being Jan. 21 2013. However, the dates of Oct. 12, Nov. 12 and Dec. 12, 2012, were also found in the malware's configuration, suggesting that it may have been in distribution for at least two months.

GrooveMonitor.exe is the original dropper, which is a self-extracting RAR file, once executed it extracts the following files:

-- \WINDOWS\system32\SLEEP.EXE, md5: ea7ed6b50a9f7b31caeea372a327bd37

-- \WINDOWS\system32\jucheck.exe, md5: c4cd216112cbc5b8c046934843c579f6

-- \WINDOWS\system32\juboot.exe, md5: fa0b300e671f73b3b0f7f415ccbe9d41

Then juboot.exe is executed, which create and execute following batch file :

\Documents and Settings\%User%\Local Settings\Temp\1.tmp\juboot.bat

According to the Iranian CERT advisory, "However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks."

In past, Iran has accused the US and Israel of being behind the Flame attack as well as the Stuxnet virus. Such attacks are seen as en effort to cripple the Islamic Republic's nuclear program, which Western countries fear is being used to make a bomb.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.