, , ,

BatchWiper is a Trojan that can delete every file and user profiles on the hard drive of compromised users. This Trojan uses an extremely simple attack vector of creating BAT files and then using them to delete files on different drivers at predefined times.


Infection and Propagation Vectors

The Trojan comes in a dropper with the filename “GrooveMonitor.exe” which is a self-extracting RAR file. We don’t have details about the infection vector, but based on the dropper it could be deployed using USB drives or phishing emails.


Users are requested to exercise caution while opening unsolicited emails and unknown links. Users are advised to update Windows and third-party application security patches and virus definitions on a regular basis and have proper filtering rules.

Characteristics and Symptoms


Upon execution, the Trojan (GrooveMonitor.exe) drops several files like SLEEP.EXE, juboot.exe, jucheck.exe in the %system32% folder.

The GrooveMonitor.exe then creates a process for juboot.exe. This process drops juboot.bat in the %Temp% folder and opens cmd.exe which runs the juboot.bat file.

The juboot.bat file adds registry entry for jucheck.exe and also creates a thread for jucheck.exe. The contents of juboot.bat are as below.

@echo off & setlocal

sleep for 2

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d

“%systemroot%\system32\jucheck.exe” /f

start “” /D”%systemroot%\system32\” “jucheck.exe”


The following registry keys have been added to the system:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “jucheck.exe”
  • HKEY_CURRENT_USER\Software\WinRAR SFX “C%%WINDOWS%system32%”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache


As can be seen from the registry changes the malware maintains persistence by executing the jucheck.exe file every time the system boots. No external connections to any IP address or URLs were observed. After jucheck.exe is executed it creates jucheck.bat.


The jucheck.bat deletes juboot.exe and GrooveMonitor.exe from the Start Menu folder. Then the bat files checks the system date and if it matches one of the predefined dates it executes the wiping routine. This routine checks for system drives and it then deletes every file on those drives with the drive letters D,E,F,G,H or I, along with files on a logged-in user’s Desktop.

Some of the dates the malware checks for are listed below.

Mon 12/10/2012

Tue 12/11/2012

Wed 12/12/2012

Mon 01/21/2013

Tue 01/22/2013

Wed 01/23/2013

Mon 05/06/2013

Tue 05/07/2013

Wed 05/08/2013

Mon 07/22/2013

Tue 07/23/2013

Wed 07/24/2013

Mon 11/11/2013

Tue 11/12/2013

Wed 11/13/2013

Mon 02/03/2014

Tue 02/04/2014

Wed 02/05/2014

Mon 05/05/2014

Tue 05/06/2014

Wed 05/07/2014

Mon 08/11/2014

Tue 08/12/2014

Wed 08/13/2014

Mon 02/02/2015

Tue 02/03/2015

Wed 02/04/2015

Clearly the malware author was thinking ahead and this might have been stage one of a targeted attack waiting to happen in the future. MD5s of some files that are dropped.

\WINDOWS\system32\SLEEP.EXE, Md5: ea7ed6b50a9f7b31caeea372a327bd37 ( non-Malicious, clean file)

\WINDOWS\system32\jucheck.exe, Md5: c4cd216112cbc5b8c046934843c579f6

\WINDOWS\system32\juboot.exe, Md5: fa0b300e671f73b3b0f7f415ccbe9d41


Keep your antivirus software up-to-date.


Restart Mechanism


The below registry entry would enable the Trojan to execute every time when windows starts.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “jucheck.exe”


Always keep a backup of all the files on the system. Use of backup and restore software is recommended.

Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives.


Please disable any such Run keys manually of using Access Protection Rules.




(c) Above article is based on the report from Mcafee security Labs