Trojan.Batchwiper Reported in Iran

On December 16, 2012, CERTCC-IR posted an advisory regarding a new threat, Trojan.Batchwiper, that wipes disks. We have recovered samples matching the hashes mentioned in their advisory and, based on preliminary analysis, can confirm their findings.

The samples are not sophisticated and will wipe any drives starting with the drive letters D through I, along with files on the currently logged-in user’s Desktop. After deletion, the threat will then run Chkdsk on the drives. The wiping will only occur on the following dates:

  • 12/10/2012
  • 12/11/2012
  • 12/12/2012
  • 01/21/2013
  • 01/22/2013
  • 01/23/2013
  • 05/06/2013
  • 05/07/2013
  • 05/08/2013
  • 07/22/2013
  • 07/23/2013
  • 07/24/2013
  • 11/11/2013
  • 11/12/2013
  • 11/13/2013
  • 02/03/2014
  • 02/04/2014
  • 02/05/2014
  • 05/05/2014
  • 05/06/2014
  • 05/07/2014
  • 08/11/2014
  • 08/12/2014
  • 08/13/2014
  • 02/02/2015
  • 02/03/2015
  • 02/04/2015

The threat has no visible connection to Stuxnet, Flamer, or Gauss based on preliminary analysis. Symantec is still conducting analysis of the binaries and will post updates, if necessary.

Update [December 17, 2012] – Added technical details for Trojan.Batchwiper