Friday, December 28, 2012

A look into the Batch Wiper virus

The Iranian CERT reported the existence of a new targeted data wiping malware.
Although first thought as another serious  country level virus, further, deeper analysis show that it is relatively simple attack.

GrooveMonitor.exe is the main file.
Checking the file with a Hex Editor we notice something nice.

Basically its a self extracting RAR file.
Opening the archive we see 3 more files, jucheck.exe, juboot.exe and SLEEP.EXE.

If we look at juboot.exe in a hex editor we find the following signature




The header belongs to "the Ultimate Packer for eXecutables" (http://upx.sourceforge.net).
I then opened the file with PE Explorer allowing me to see that the file is basically a Bat file with the following content:

@echo off & setlocal
sleep for 2
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d "%systemroot%\system32\jucheck.exe" /f

start "" /D"%systemroot%\system32\" "jucheck.exe"

It looks like justboot.exe runs sleep for 2 and then adds registry keys ensuring that 'jucheck.exe' is executed each time the computer starts up.

In the same manner, checking jucheck.exe, it is also a batch file.
The batch file is longer this time so I'll summarize it for you. I made the source is available on pastebin, http://pastebin.com/B2jKHUDH .

First sleep for 2 just like with the juboot.exe
then it deletes the juboot.exe file and the original GrooveMonitor.exe
The code then checks for specific dates to run. the dates are:
  • 10-12/Dec/2012
  • 21-23/Jan/2013
  • 6-8/May/2013
  • 22-24/Jul/2013
  • 11-13/Nov/2013
  • 3-5/Feb/2014
  • 5-7/May/2014
  • 11-13/Aug/2014
  • 2-4/Feb/2015
On these dates it attempts to wipe the data on the local drive using a simple "del /q /s /f" command on drives D, E, F, G, H and I.

The batch then moves on and attempts to erase the desktop in the same way.
Finally, the batch file runs "calc" (Where did this come from ?).

I haven't finished messing with the samples but as you've seen its not a sophisticated attack and will be easy to detect and stop before any damage is done.

If you want to look at the samples for yourselves, I've made them available at http://turbobit.net/aywxvv08e83b.html

Enjoy.
Posted by at
Labels: , , , , ,

11 comments:

  1. AnonymousMarch 28, 2013 at 8:26 AM

    Warez sites seem to be distributing these attacks. Not sure why, but I had my windows xp wiped the other day.

    ReplyDelete
    Replies
    1. CodeBetweenTheLinesMarch 28, 2013 at 12:04 PM

      That is strange. Are you sure they are identical ? I would love to receive a sample if possible.

      Delete
    2. AnonymousDecember 2, 2013 at 7:49 PM

      I am doing a project for a malware class and choose batchwiper as my virus, I found a sample at http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html#more... It is a live sample so show caution.

      Delete
  2. MarryOctober 14, 2016 at 1:41 AM

    Infections are a standout amongst the most excruciating and baffling to manage, and get one of these can cost a great many dollars and botch your valuable PC. Utilizing some basic and powerful tips, you can extraordinarily diminish your odds of getting an infection and keep your PC running like new.
    zepto File Virus Removal

    ReplyDelete
  3. Dayna ElrodNovember 14, 2017 at 3:11 AM

    Thanks for sharing the information! When I write MyAssignmentHelp testimonials I'm always afraid that my laptop shuts down from the virus and I lose all my data.

    ReplyDelete
  4. Holly AdamsDecember 6, 2021 at 4:07 AM

    Despite reading many blogs and articles, yours is the most useful. You did a very good job. Thank you so much for the information you shared. Additionally, I have a dedicated profile CPS Test where I provide more information. See it here Click Test and let me know what you think.

    ReplyDelete
  5. TomMarch 30, 2022 at 11:55 AM

    Hello everyone! If some of you need professional help with essay or homework, you can ask this guys for help! They rally know how https://topswriting.com/review/paperrater-review to do it, and you can just write to them thesis papers online and be ready for help! Good luck and have fun!

    ReplyDelete
  6. AnonymousJune 12, 2022 at 1:10 AM

    This looks good is it windows only like on https://www.quiz-griz.com/xrumer-review/

    ReplyDelete
  7. AnonymousJune 12, 2022 at 1:11 AM

    or even https://www.quiz-griz.com/xrumer-review/.

    ReplyDelete
  8. WillMillerJune 21, 2022 at 8:07 AM

    Order assignments safely at GradeMiners.com. The service is DMCA protected. We never disclose information about https://expertpaperwriter.com/papernow-org-review/ customers and payments to any third party. We foster security and work to let the world know you’re the author.

    ReplyDelete
  9. quxckwhl02December 24, 2022 at 7:55 AM

    As an experienced CNC metal machining firm, Reading Plastic can ship precision parts from aluminum, brass, copper, stainless steel and titanium. Our metal parts are machined with the identical tight tolerances and quick turnarounds our plastic parts clients rely on, nicely as|in addition to} economical processes that streamline production and decrease costs. We make the most of one of the best machining practices – including constant slicing speeds, sharp tools and strategic processes – to make sure all of our Heated Blanket metal parts meet the strictest high quality requirements. At CNC Machining, Inc., we focus on manufacturing precision machined parts for the medical, automotive, analysis, and other industries.

    ReplyDelete

Subscribe to: Post Comments (Atom)