BatchWiper is a Trojan that can delete every file and user profiles on the hard drive of compromised users. This Trojan uses an extremely simple attack vector of creating BAT files and then using them to delete files on different drivers at predefined times.
Infection and Propagation Vectors
The Trojan comes in a dropper with the filename “GrooveMonitor.exe” which is a self-extracting RAR file. We don’t have details about the infection vector, but based on the dropper it could be deployed using USB drives or phishing emails.
Users are requested to exercise caution while opening unsolicited emails and unknown links. Users are advised to update Windows and third-party application security patches and virus definitions on a regular basis and have proper filtering rules.
Characteristics and Symptoms
Upon execution, the Trojan (GrooveMonitor.exe) drops several files like SLEEP.EXE, juboot.exe, jucheck.exe in the %system32% folder.
The GrooveMonitor.exe then creates a process for juboot.exe. This process drops juboot.bat in the %Temp% folder and opens cmd.exe which runs the juboot.bat file.
The juboot.bat file adds registry entry for jucheck.exe and also creates a thread for jucheck.exe. The contents of juboot.bat are as below.
@echo off & setlocal
sleep for 2
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d
start “” /D”%systemroot%\system32\” “jucheck.exe”
The following registry keys have been added to the system:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “jucheck.exe”
- HKEY_CURRENT_USER\Software\WinRAR SFX “C%%WINDOWS%system32%”
As can be seen from the registry changes the malware maintains persistence by executing the jucheck.exe file every time the system boots. No external connections to any IP address or URLs were observed. After jucheck.exe is executed it creates jucheck.bat.
The jucheck.bat deletes juboot.exe and GrooveMonitor.exe from the Start Menu folder. Then the bat files checks the system date and if it matches one of the predefined dates it executes the wiping routine. This routine checks for system drives and it then deletes every file on those drives with the drive letters D,E,F,G,H or I, along with files on a logged-in user’s Desktop.
Some of the dates the malware checks for are listed below.
Clearly the malware author was thinking ahead and this might have been stage one of a targeted attack waiting to happen in the future. MD5s of some files that are dropped.
\WINDOWS\system32\SLEEP.EXE, Md5: ea7ed6b50a9f7b31caeea372a327bd37 ( non-Malicious, clean file)
\WINDOWS\system32\jucheck.exe, Md5: c4cd216112cbc5b8c046934843c579f6
\WINDOWS\system32\juboot.exe, Md5: fa0b300e671f73b3b0f7f415ccbe9d41
Keep your antivirus software up-to-date.
The below registry entry would enable the Trojan to execute every time when windows starts.
Always keep a backup of all the files on the system. Use of backup and restore software is recommended.
Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives.
Please disable any such Run keys manually of using Access Protection Rules.
(c) Above article is based on the report from Mcafee security Labs