Friday, December 28, 2012

A look into the Batch Wiper virus

The Iranian CERT reported the existence of a new targeted data wiping malware.
Although first thought as another serious  country level virus, further, deeper analysis show that it is relatively simple attack.

GrooveMonitor.exe is the main file.
Checking the file with a Hex Editor we notice something nice.

Basically its a self extracting RAR file.
Opening the archive we see 3 more files, jucheck.exe, juboot.exe and SLEEP.EXE.

If we look at juboot.exe in a hex editor we find the following signature




The header belongs to "the Ultimate Packer for eXecutables" (http://upx.sourceforge.net).
I then opened the file with PE Explorer allowing me to see that the file is basically a Bat file with the following content:

@echo off & setlocal
sleep for 2
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d "%systemroot%\system32\jucheck.exe" /f

start "" /D"%systemroot%\system32\" "jucheck.exe"


It looks like justboot.exe runs sleep for 2 and then adds registry keys ensuring that 'jucheck.exe' is executed each time the computer starts up.

In the same manner, checking jucheck.exe, it is also a batch file.
The batch file is longer this time so I'll summarize it for you. I made the source is available on pastebin, http://pastebin.com/B2jKHUDH .

First sleep for 2 just like with the juboot.exe
then it deletes the juboot.exe file and the original GrooveMonitor.exe
The code then checks for specific dates to run. the dates are:
  • 10-12/Dec/2012
  • 21-23/Jan/2013
  • 6-8/May/2013
  • 22-24/Jul/2013
  • 11-13/Nov/2013
  • 3-5/Feb/2014
  • 5-7/May/2014
  • 11-13/Aug/2014
  • 2-4/Feb/2015
On these dates it attempts to wipe the data on the local drive using a simple "del /q /s /f" command on drives D, E, F, G, H and I.

The batch then moves on and attempts to erase the desktop in the same way.
Finally, the batch file runs "calc" (Where did this come from ?).

I haven't finished messing with the samples but as you've seen its not a sophisticated attack and will be easy to detect and stop before any damage is done.

If you want to look at the samples for yourselves, I've made them available at http://turbobit.net/aywxvv08e83b.html

Enjoy.

4 comments:

  1. Warez sites seem to be distributing these attacks. Not sure why, but I had my windows xp wiped the other day.

    ReplyDelete
    Replies
    1. That is strange. Are you sure they are identical ? I would love to receive a sample if possible.

      Delete
    2. I am doing a project for a malware class and choose batchwiper as my virus, I found a sample at http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html#more... It is a live sample so show caution.

      Delete
  2. Infections are a standout amongst the most excruciating and baffling to manage, and get one of these can cost a great many dollars and botch your valuable PC. Utilizing some basic and powerful tips, you can extraordinarily diminish your odds of getting an infection and keep your PC running like new.
    zepto File Virus Removal

    ReplyDelete