Symantec has issued a warning about a newly-emerged worm that can attack and modify corporate databases, including SQL databases that can be accessed through the OLEDB API. Though most of the attacks are occurring in the Middle East, the W32.Narilam worm is beginning to extend elsewhere, as well.
"Just like many other worms that we have seen in the past, the threat copies itself to the infected machine, adds registry keys, and spreads through removable drives and network shares," wrote Symantec security researcher Shunichi Imano in a blog post. "It is even written using Delphi, which is a language that is used to create a lot of other malware threats. All these aspects of this threat are normal enough, what is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB."
When targeting a database, Narilam searches for financial terminology and often deletes legitimate data. At this point, the bug appears to be designed to damage the files rather than to upload data to command-and-control servers. While the infection rate is currently limited, Imano warns that corporate networks that are improperly secured could be severely disrupted.
"The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database," he wrote. "Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations."
The worm can reportedly redirect the user's browser home page to a phishing site and then launch popups for the sale of ransomware. Some versions are also believed to support Trojans and keyloggers.
Channel partners and IT administrators are urged to make sure that their antivirus protection is fully up to date and protected against W32.Narilam.
"Unless appropriate backups are in place, the affected database will be difficult to restore," he wrote. "The affected organization will likely suffer significant disruption and even financial loss while restoring the database. As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them."
PUBLISHED NOV. 26, 2012