Newly Discovered Malware Targets Iran, Modifies Microsoft SQL Databases

The Narilam worm looks for certain Persian words in databases and changes them.
Posted November 26, 2012

Cynthia Harvey

Security vendor Symantec is warning of a newly discovered piece of malware that is targeting corporate databases in the Middle East, specifically Iran. The worm, called "Narilam," looks for particular words in Microsoft SQL databases and overwrites them.

Symantec's blog explained, "Just like many other worms that we have seen in the past, the threat copies itself to the infected machine, adds registry keys, and spreads through removable drives and network shares. It is even written using Delphi, which is a language that is used to create a lot of other malware threats. All these aspects of this threat are normal enough, what is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB. The worm specifically targets SQL databases with three distinct names: alim, maliran, and shahd."

Computerworld's Jeremy Kirk noted, "Interestingly, Narilam shares some similarities with Stuxnet, the malware targeted at Iran that disrupted its uranium refinement capabilities by interfering with industrial software that ran its centrifuges. Like Stuxnet, Narilam is also a worm, spreading through removable drives and network file shares, [Symantec's Shunichi] Imano wrote. Once on a machine, it looks for Microsoft SQL databases. It then hunts for specific words in the SQL database -- some of which are in Persian, Iran's main language -- and replaces items in the database with random values or deletes certain fields. Some of the words include 'hesabjari,' which means current account; 'pasandaz,' which means savings; and 'asnad,' which means financial bond, Imano wrote."

PCMag's Fahmida Y. Rashid reported, "The bulk of the infections thus far have been found in the Middle East, particularly Iran and Afghanistan, although infections have been reported in the United States and the United Kingdom. The malware appeared to have been created between 2009 and 2010, according to Kaspersky Lab's Global Research and Analysis Team. While 'about 80 incidents' have been recorded over the past two years, the fact that just six infections were reported in the past month suggests the malware is 'probably almost extinct,' the researchers wrote on SecureList."

The Register quoted Iran's Computer Emergency Response Team, which dismissed the threat, saying, "The malware called 'Narilam' by Symantec was an old malware, previously detected and reported online in 2010 by some other names. This malware has no sign of a major threat, nor a sophisticated piece of computer malware. The sample is not wide spread and is only able to corrupt the database of some of the products by an Iranian software company, those products are accounting software for small businesses. The simple nature of the malware looks more like a try to harm the software company reputation among their customers."

Tags: Symantec, malware, Iran, Stuxnet, Microsoft SQL

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.