W32.Narilam, the malware that hit databases in the Middle East

Pierluigi Paganini November 25, 2012

Symantec has published an interesting alert on a new agent named W32.Narilam that has been designed to damage corporate databases.

Recently we have always thought to malware as dangerous agents used to steal information such as banking credentials or to be used in cyber espionage operation.

This is one of the different ways to monetize the development of a malicious agent, virus creation to steal information which is associated with an economic value.

But we also learned that malware could be developed for destructive purposes, that the case of state-sponsored project or cyber weapon such as Stuxnet, but the similar approach could be also persecuted by private companies against competitor business.

The sabotage of business could be obtained also through the spread of virus and trojan designed to attacks specific targets, W32.Disttrack malware is a sample of this category of malware because it is able to wipe out data from victims hard disks.

The sabotage could have various effects depending on the practices adopted by companies to respond to an incident, anyway, it represents a serious threat to the business.

Symantec has published an interesting alert on a new agent named W32.Narilam that has been designed to damage corporate databases. Once again the geographic area most impacted is the Middle East.

Narilam infections



W32.Narilam is a worm that attempts to spread by copying itself to all drives and certain shared folders on the compromised computer, the malware doesn’t include module to steal information from the victims.

The malware is written in Delphi programming language and has a behavior similar to other malicious agent but what is considered “unusual” by security researchers is its capability to update a Microsoft SQL database if it is accessible by OLEDB.

The worm is designed expressed to attack SQL databases, it searches for instances having the following names:

  • alim
  • maliran
  • shahd

and in particular, it is able to access to database objects to updating/deleting them. The malware searches for objects having specific names, some of them having some of them belonging to the Arabic and Persian languages (e.g. Hesabjari than means “current account” in Arabic/Persian).

Analyzing the objects manipulated by the malware, and the type of database hit, the experts have deducted that it has been developed to target mainly corporations.

Symantec revealed that the percentage of business users hit is of 97,1%, meanwhile, Nonbusiness users are at 2,9%.

The Symantec report states:

“Unless appropriate backups are in place, the affected database will be difficult to restore. The affected organization will likely suffer significant disruption and even financial loss while restoring the database. As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”

Fortunately, the threat assessment reveals that it is considerable a low-level menace due to the limited number of infections in a very restricted area. The agent is simple to eradicate despite once infected the victim it damages database irreparably.

Once again the question is … who has developed the malware and why?

Pierluigi Paganini


UPDATE 11/26/2012

Maher center announcement about the “narilam” malware

Recently Symantec reported the detection of a new malware called “win32.narilam”. regarding that report, there were numerous media coverage on the topic, and comparing the threat to the previously reported cyber-attacks on Iran’s infrastructure like Stuxnet, duqu and flame. The Iranian national Cert “Maher”, announces that the initial investigations show some misunderstanding about the recent malware.

The malware called “narilam” by Symantec was an old malware, previously detected and reported online in 2010 by some other names. This malware has no sign of a major threat, nor a sophisticated piece of computer malware. The sample is not widespread and is only able to corrupt the database of some of the products by an Iranian software company, those products are accounting software for small businesses. The simple nature of the malware looks more like a try to harm the software company reputation among their customers.

Anyway, this is not a threat for general users and need no special care. Only the customers of that accounting software could make backup of their database and scan their system by updated antivirus products

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Narilam,  Malware)

you might also like

leave a comment