Iranian computers are facing an updated threat from a "targeted data-wiping malware" program dubbed Batchwiper, the International Business Times reported on Tuesday. According to the report, while the virus appears to be less damaging then previous computer viruses found in Iranian systems, it does have the ability to erase data from infected computers. Iran's Computer Emergency Response Team Coordination Center issued a statement saying the malware had apparently been present in the country's computers for at least two months. "Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software," the center said in a statement. According to the International Business Times, the malware effectively slips into computers without being noticed by anti-virus programs due to its disguise under a genuine Microsoft Office 2007 document MS Office Groove. The malware installer, also known as dropper, has been identified as "GrooveMonitor.exe," along with four other similar malware installers. The malware threatens to erase data from hard drive partitions with names beginning with the letters D through I. "Primitive analysis revealed that this malware wipes files on different drives at various predefined times. This targeted attack is simple in design and shows no similarity to other sophisticated targeted attacks," said the center. A representative of anti-virus security firm AlienVault confirmed the presence of the malware and told the International Business Times, "We don't have details about the infection vector but based on the dropper it could be deployed using USB drives, internal actors, SpearPhishing or probably as the second stage of a targeted intrusion," adding that the code of the malware was "very simple." The malware is designed in such a way that it kicks off its destruction on a specific date; the next one is scheduled to start on Jan. 21. "There's no connection to any of the previous wiper-like attacks we have seen. We also don't have any reports of this malware from the wild," a senior researcher at Kaspersky Lab, Roel Schouwenberg, wrote in a blog post. "The destructive payload is very simple," continued Schouwenberg. "The malware checks if the date matches with a number of predefined dates. If the date matches, it will wait for 50 minutes and then try to delete all files from drive D through I. It will also wipe all files from the user's desktop." Iran had been the target of at least two highly publicized cyberattacks in recent months, allegedly launched by its Western adversaries over Tehran's controversial nuclear program.
