Hard Drive Destruction

New computer virus wiping Iranian hard drives

Iranian technicians work at the Bushehr nuclear power plant in Iran / AP
December 17, 2012

A mysterious new computer virus has infected Iranian computers and is completely wiping users’ hard drives, according to Iranian officials.

The "efficient" virus is said to "wipe files on different drives in various predefined times" and cannot be detected by anti-virus software, Iran’s official Information Technology Organization revealed in a statement over the weekend.

The malware does not appear to be as sophisticated as previous viruses that have targeted computers governing Iran’s nuclear program, according to the statement.

However, the website Ars Technica reported that the virus bears similarities to previous programs used to spy on Iran:

Dubbed Batchwiper, the malware systematically wipes any drive partitions starting with the letters D through I, along with any files stored on the Windows desktop of the user who is logged in when it's executed, according to security researchers who independently confirmed the findings. The reports come seven months after an investigation into another wiper program targeting the region led to the discovery of Flame, the highly sophisticated espionage malware reportedly designed by the US and Israel to spy on Iran. Wiper, as the earlier wiping program is known, shared a file-naming convention almost identical to those used by the state-sponsored Stuxnet and Duqu operations, an indication it may have been related, security researchers said.

The latest virus "is not considered to be widely distributed," according to the statement released by Maher, Iran’s Computer Emergency Response Team Coordination Center.

"This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks," according to the statement.

Separate reports indicate that the virus may have been deleting files for more than a week.

"According to Symantec, the batch file is programmed to wipe drives only on certain dates, with the next one being Jan. 21," Ars Technica reported. "Previous dates listed in the file include Dec. 11, 12, and 13, suggesting the malware campaign may have been active for the past week and may already have inflicted damage."

The virus is also reportedly capable of remaining on a person’s system after it has been fully rebooted.

Published under: Cyber Security , Iran