On Monday, we learned that Iran’s CERT issued a warning about a new piece of malware designed to wipe files from infected computers.Experts from Kaspersky and Sophos have analyzed this new threat and they provide some interesting details.
It turns out that the malware is distributed as a self-extracting archive file called GrooveMonitor.exe which contains a number of three executable files: SLEEP.exe (which is not actually malicious), jucheck.exe and juboot.exe.
Basically, juboot.exe is a DOS BAT file that uses SLEEP.exe to wait for two seconds before it adds a registry entry, which ensures that jucheck.exe is executed each time the computer is started.
When executed, jucheck.exe erases GrooveMonitor.exe and juboot.exe and checks to see if the system date matches to one of the dates on which it must try to delete the files from the Desktop and the D, E, F, G, H and I partitions.
Once the data is deleted, chkdsk is run on the targeted partition, most likely to trick the victim into believing that the files have been removed because of a hardware or a software issue.
All those who have analyzed this piece of malware agree that it’s not sophisticated at all, but they also agree with the fact that it doesn’t necessarily need to be so in order to cause damage.
“Why Iran is drawing attention to this is anybody's guess. It does go to show that malware doesn't need to be sophisticated to cause trouble though. If you can execute arbitrary files, all it takes is a few lines in a batch file and some wrappers to cause serious damage,” Sophos’ Chester Wisniewski said.
“This is as basic as it gets. But if it was effective that doesn't matter. If it wasn't clear already - the era of cyber-sabotage has arrived. Be prepared,” Roel, a Kaspersky lab expert, explained.