Although first thought as another serious country level virus, further, deeper analysis show that it is relatively simple attack.
GrooveMonitor.exe is the main file.
Checking the file with a Hex Editor we notice something nice.
Basically its a self extracting RAR file.
Opening the archive we see 3 more files, jucheck.exe, juboot.exe and SLEEP.EXE.
If we look at juboot.exe in a hex editor we find the following signature

The header belongs to "the Ultimate Packer for eXecutables" (http://upx.sourceforge.net).
I then opened the file with PE Explorer allowing me to see that the file is basically a Bat file with the following content:
@echo off & setlocal
sleep for 2
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d "%systemroot%\system32\jucheck.exe" /f
start "" /D"%systemroot%\system32\" "jucheck.exe"
It looks like justboot.exe runs sleep for 2 and then adds registry keys ensuring that 'jucheck.exe' is executed each time the computer starts up.
In the same manner, checking jucheck.exe, it is also a batch file.
The batch file is longer this time so I'll summarize it for you. I made the source is available on pastebin, http://pastebin.com/B2jKHUDH .
First sleep for 2 just like with the juboot.exe
then it deletes the juboot.exe file and the original GrooveMonitor.exe
The code then checks for specific dates to run. the dates are:
- 10-12/Dec/2012
- 21-23/Jan/2013
- 6-8/May/2013
- 22-24/Jul/2013
- 11-13/Nov/2013
- 3-5/Feb/2014
- 5-7/May/2014
- 11-13/Aug/2014
- 2-4/Feb/2015
The batch then moves on and attempts to erase the desktop in the same way.
Finally, the batch file runs "calc" (Where did this come from ?).
I haven't finished messing with the samples but as you've seen its not a sophisticated attack and will be easy to detect and stop before any damage is done.
If you want to look at the samples for yourselves, I've made them available at http://turbobit.net/aywxvv08e83b.html
Enjoy.
Warez sites seem to be distributing these attacks. Not sure why, but I had my windows xp wiped the other day.
ReplyDeleteThat is strange. Are you sure they are identical ? I would love to receive a sample if possible.
DeleteI am doing a project for a malware class and choose batchwiper as my virus, I found a sample at http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html#more... It is a live sample so show caution.
DeleteInfections are a standout amongst the most excruciating and baffling to manage, and get one of these can cost a great many dollars and botch your valuable PC. Utilizing some basic and powerful tips, you can extraordinarily diminish your odds of getting an infection and keep your PC running like new.
ReplyDeletezepto File Virus Removal
Thanks for sharing the information! When I write MyAssignmentHelp testimonials I'm always afraid that my laptop shuts down from the virus and I lose all my data.
ReplyDelete