Pierluigi Paganini December 19, 2012

On December 16th the Iranian Maher center issued an advisory warning of a new “targeted data wiping” malware discovered during an investigation.

First analysis of the center revealed that the malicious code has a simple as efficient design that allow it to wipe files on different drives in various predefined times. The malware wipes disk partitions and user profile directories avoiding ordinary anti-virus software detection, Maher advisory provided the list of components of the malware

Juboot.exe and jucheck.exe components mask disguise themselves as a Java auto update program, meanwhile the SLEEP.EXE application is a freeware tool to delay application startup.
The Trojan is distributed as a self-extracting WinRAR archive named GrooveMonitor.exe that once executed drops the components juboot.exe, jucheck.exe and SLEEP.EXE.
The malware seems to have no links with precedent cyber threats that hit the countries such as Stuxnet, Duqu and Shamoon.

Of course many antivirus producer and security companies has started the researches on the malware. SophosLabs confirmed the malware presence and the capabilities described by Maher center but doesn’t share Iranian conviction that it’s a targeted attack.

The Sophos blog reported:

“Juboot.exe is actually a simple DOS BAT file that has been converted to a Windows PE (Portable Executable) file using a Batch to Exe Converter. It uses SLEEP.EXE to wait for two seconds, then sets a registry key to start jucheck.exe on system boot.
Upon execution jucheck.exe waits two seconds, erases GrooveMonitor.exe and juboot.exe, then checks to see if the date matches any of the following:
10-December-2012 to 12-December-2012
21-January-2013 to 23-January-2013
06-May-2013 to 08-May-2013
22-July-2013 to 24-July-2013
11-November-2013 to 13-November-2013
3-February-2014 to 5-February-2014
5-May-2014 to 7-May-2014
11-August-2014 to 13-August-2014
2-February-2015 to 4-February-2015.
If the date matches, it waits for 50 minutes, then performs a recursive delete on the aforementioned drive letters and deletes everything from the user’s desktop.”

As explained by Sophos experts the malicious payload is very simple,  it will also wipe all files from the victim’s desktop.

Sophos research team also discovered a different variant of the malware that replaced jucheck.exe component with a new on called Wmiprv.exe and that tries to delete GrooveMonitor.exe from

C:\Documents and settings\All Users\Start Menu\Programs\Startup\

and runs in an endless loop every 50 minutes to erase the drives. Sophos commented this discovery with following statement:

“This is likely indicative of a more advanced dropper file and a way to be sure to harm machines that are not rebooted during the specified time windows.”

Roel Schouwenberg from Kaspersky lab added further interesting details revealed by the analysis conducted by his team on the malware named GrooveMonitor.

“After trying to delete all the files on a particular partition the malware runs chkdsk on said partition. I assume the attacker is trying to make the loss of all files look like a software or hardware failure. Next to these BAT2EXE files there’s also a 16-bit SLEEP file, which is not malicious. 16-bit files don’t actually run on 64-bit versions of Windows. This immediately gives away the malware’s presence on a x64 machine.”

Symantec identified the cyber threat as Trojan.Batchwiper sharing same information of Kaspersky and Sophos.

Despite the malware appears really simple and hasn’t created great problems to the victim country it could be indicator of ongoing development of a new cyber weapon. The detected module could be designed for testing purposes or as a part of a of a broader project.
Roel Schouwenberg concluded his analysis with a very meaningful statement:

“The era of cyber-sabotage has arrived. Be prepared.”

Pierluigi Paganini