Batchwiper malware wipes disk partitions on Iranian computers

Iranian computer systems have been hit with another bout of damage, this time from the malware Batchwiper, which, as its name suggests, infects a computer and promptly proceeds to wipe its disk partitions and user profile directories. The attack is said to be simplistic and is designed to only wipe data on specific dates, with the next one being January 21. Thus far, how the malware is spreading to machines is unknown.

Batchwiper shows up in Task Manager as the legitimate process GrooveMonitor.exe, which then kicks off additional processes under juboot.exe, jucheck.exe, WmiPrv.exe, and SLEEP.EXE. There are no reports of this malware out in the wild, according to Kaspersky Lab, and as of now, no one is sure how the infection is jumping from machine to machine.

Some speculate that the malware is transferred via external drives, such as flash drives, while others say it could be spread via insiders with access to the machines, or as part of another attack. Specifically, Batchwiper purges the data on all disk partitions labelled "D" through "I," as well as the desktop contents of the user unfortunate enough to log on during the infection's rampage. This comes after other attacks Iran has been dealt, including Flame.

An Iranian CERT advisory stated, in part: "Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by antivirus. However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks."

[via ars technica]