New 'Simplistic' Malware Strain Wipes Hard Drives

By Ken Presti
December 17, 2012 2:29 PM ET

A new strain of malware capable of wiping hard drives is being described as "simplistic" as well as insidious.

According to Kaspersky's Threatpost blog, the bug is capable of deleting all files on drives D through I, as well as on the desktop. Once the data is deleted, the program then launches a checkdisk command in an apparent attempt to divert attention towards a possible system failure, as opposed to a planned attack.

At this point, the malware, which has been dubbed Trojan.Batchwiper, has only been witnessed in Iran, which reported the attack on Sunday through the Maher Center, Iran's equivalent of CERT.

The attacks launch only on specifically programmed dates, including last week from Dec. 10 through Dec. 12. The configuration of the code leads experts to believe it will become active again for two days starting on Jan. 21. At that point, it appears likely to stand down until May 6. Subsequent attacks appear likely for July and November of 2013, February, May and August of 2014, and February of 2015.

The Threatpost blog quoted Kaspersky Lab researcher Roel Schouwenberg as saying, "This [malware] is as basic as it gets. But if it was effective, that doesn’t matter. If it wasn’t clear already, the era of cyber sabotage has arrived."

The malware, which engages BAT files that are then converted to Windows PE files using a BAT2EXE tool, appears to be unrelated to Shamoon or any of the high-profile attacks witnessed so far. Key file names include Win.32.Maya.a and also GrooveMonitor.exe, which serves as the dropper.

According to a post in the AlienVault blog, the malware is likely deployed through USB drives and spearphishing, or possibly as the second stage of a targeted intrusion.

Data wiping malware has gained notoriety, especially in the Middle East where Shamoon was used to bring IT resources of Aramco, a Saudi Arabian oil company, to a near standstill earlier this year. Investigations into other strains of data wiping malware also led to the discovery of the Flamer virus.

PUBLISHED DEC. 17, 2012

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	10 Security Companies That Have Scored CIA Funding CIA-funded venture firm invests millions in technology startups, mostly security firms. Find out which security companies won In-Q-Tel funding.
	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	More Slide Shows