McAfee Labs Threat Advisory
BatchWiper
December 21, 2012
Summary
BatchWiper is a Trojan that can delete every file and user profiles on the hard drive of compromised users.
This Trojan uses an extremely simple attack vector of creating BAT files and then using them to delete files
on different drivers at predefined times.
Iranian CERT posted an advisory regarding this new threat BatchWiper that wipes disks.
Detailed information about the worm, its propagation, and mitigation are in the following sections:




Infection and Propagation Vectors
Characteristics and Symptoms
Restart Mechanism
Getting Help from the McAfee Foundstone Services team
Infection and Propagation Vectors
The Trojan comes in a dropper with the filename GrooveMonitor.exe which is a self-extracting RAR file.
We don’t have details about the infection vector, but based on the dropper it could be deployed using USB
drives or phishing emails.
Prevention
Users are requested to exercise caution while opening unsolicited emails and unknown links. Users are
advised to update Windows and third-party application security patches and virus definitions on a regular
basis and have proper filtering rules.
Characteristics and Symptoms
Description
Upon execution, the Trojan (GrooveMonitor.exe) drops several files like SLEEP.EXE, juboot.exe,
jucheck.exe in the %system32% folder.
The GrooveMonitor.exe then creates a process for juboot.exe. This process drops juboot.bat in the
%Temp% folder and opens cmd.exe which runs the juboot.bat file.
The juboot.bat file adds registry entry for jucheck.exe and also creates a thread for jucheck.exe. The
contents of juboot.bat are as below.
@echo off & setlocal
sleep for 2
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d
"%systemroot%\system32\jucheck.exe" /f
start "" /D"%systemroot%\system32\" "jucheck.exe"
The following registry keys have been added to the system:



HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "jucheck.exe"
HKEY_CURRENT_USER\Software\WinRAR SFX "C%%WINDOWS%system32%"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
"C:\WINDOWS\system32\juboot.exe"
As can be seen from the registry changes the malware maintains persistence by executing the jucheck.exe
file every time the system boots. No external connections to any IP address or URLs were observed. After
jucheck.exe is executed it creates jucheck.bat.
The jucheck.bat deletes juboot.exe and GrooveMonitor.exe from the Start Menu folder.
Then the bat files checks the system date and if it matches one of the predefined dates it executes the
wiping routine. This routine checks for system drives and it then deletes every file on those drives with the
drive letters D,E,F,G,H or I, along with files on a logged-in user's Desktop.
Some of the dates the malware checks for are listed below.
Mon 12/10/2012
Tue 12/11/2012
Wed 12/12/2012
Mon 01/21/2013
Tue 01/22/2013
Wed 01/23/2013
Mon 05/06/2013
Tue 05/07/2013
Wed 05/08/2013
Mon 07/22/2013
Tue 07/23/2013
Wed 07/24/2013
Mon 11/11/2013
Tue 11/12/2013
Wed 11/13/2013
Mon 02/03/2014
Tue 02/04/2014
Wed 02/05/2014
Mon 05/05/2014
Tue 05/06/2014
Wed 05/07/2014
Mon 08/11/2014
Tue 08/12/2014
Wed 08/13/2014
Mon 02/02/2015
Tue 02/03/2015
Wed 02/04/2015
Clearly the malware author was thinking ahead and this might have been stage one of a targeted attack
waiting to happen in the future.
MD5s of some files that are dropped.
\WINDOWS\system32\SLEEP.EXE, Md5: ea7ed6b50a9f7b31caeea372a327bd37 ( non-Malicious, clean file)
\WINDOWS\system32\jucheck.exe, Md5: c4cd216112cbc5b8c046934843c579f6
\WINDOWS\system32\juboot.exe, Md5: fa0b300e671f73b3b0f7f415ccbe9d41
Mitigation
o
Users are advised to update to DAT version: 6930 or above in order to protect themselves against
this threat.
o
Keep your antivirus software up-to-date.
Restart Mechanism
Description
The below registry entry would enable the Trojan to execute every time when windows starts.
o
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "jucheck.exe"
Prevention
o
o
Always keep a backup of all the files on the system. Use of backup and restore software is
recommended.
Disable AutoPlay to prevent the automatic launching of executable files on network and removable
drives.
Mitigation
o
Please disable any such Run keys manually of using Access Protection Rules.
Getting Help from the McAfee Foundstone Services team
This document is intended to provide a summary of current intelligence and best practices to ensure the
highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a
full range of strategic and technical consulting services that can further help to ensure you identify security
risk and build effective solutions to remediate security vulnerabilities.
You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx
© 2011 McAfee, Inc. All rights reserved.