Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Trojan.Batchwiper Reported in Iran

Created: 16 Dec 2012 21:30:57 GMT • Updated: 23 Jan 2014 18:10:57 GMT • Translations available: 日本語
Symantec Security Response's picture
+1 1 Vote
Login to vote

On December 16, 2012, CERTCC-IR posted an advisory regarding a new threat, Trojan.Batchwiper, that wipes disks. We have recovered samples matching the hashes mentioned in their advisory and, based on preliminary analysis, can confirm their findings.

The samples are not sophisticated and will wipe any drives starting with the drive letters D through I, along with files on the currently logged-in user’s Desktop. After deletion, the threat will then run Chkdsk on the drives. The wiping will only occur on the following dates:

  • 12/10/2012
  • 12/11/2012
  • 12/12/2012
  • 01/21/2013
  • 01/22/2013
  • 01/23/2013
  • 05/06/2013
  • 05/07/2013
  • 05/08/2013
  • 07/22/2013
  • 07/23/2013
  • 07/24/2013
  • 11/11/2013
  • 11/12/2013
  • 11/13/2013
  • 02/03/2014
  • 02/04/2014
  • 02/05/2014
  • 05/05/2014
  • 05/06/2014
  • 05/07/2014
  • 08/11/2014
  • 08/12/2014
  • 08/13/2014
  • 02/02/2015
  • 02/03/2015
  • 02/04/2015

The threat has no visible connection to Stuxnet, Flamer, or Gauss based on preliminary analysis. Symantec is still conducting analysis of the binaries and will post updates, if necessary.

Update [December 17, 2012] – Added technical details for Trojan.Batchwiper