Security vendor Symantec is warning of a newly discovered piece of malware that is targeting corporate databases in the Middle East, specifically Iran. The worm, called “Narilam,” looks for particular words in Microsoft SQL databases and overwrites them.
Symantec’s blog explained, “Just like many other worms that we have seen in the past, the threat copies itself to the infected machine, adds registry keys, and spreads through removable drives and network shares. It is even written using Delphi, which is a language that is used to create a lot of other malware threats. All these aspects of this threat are normal enough, what is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB. The worm specifically targets SQL databases with three distinct names: alim, maliran, and shahd.”
Computerworld’s Jeremy Kirk noted, “Interestingly, Narilam shares some similarities with Stuxnet, the malware targeted at Iran that disrupted its uranium refinement capabilities by interfering with industrial software that ran its centrifuges. Like Stuxnet, Narilam is also a worm, spreading through removable drives and network file shares, [Symantec’s Shunichi] Imano wrote. Once on a machine, it looks for Microsoft SQL databases. It then hunts for specific words in the SQL database — some of which are in Persian, Iran’s main language — and replaces items in the database with random values or deletes certain fields. Some of the words include ‘hesabjari,’ which means current account; ‘pasandaz,’ which means savings; and ‘asnad,’ which means financial bond, Imano wrote.”
PCMag’s Fahmida Y. Rashid reported, “The bulk of the infections thus far have been found in the Middle East, particularly Iran and Afghanistan, although infections have been reported in the United States and the United Kingdom. The malware appeared to have been created between 2009 and 2010, according to Kaspersky Lab’s Global Research and Analysis Team. While ‘about 80 incidents’ have been recorded over the past two years, the fact that just six infections were reported in the past month suggests the malware is ‘probably almost extinct,’ the researchers wrote on SecureList.”
The Register quoted Iran’s Computer Emergency Response Team, which dismissed the threat, saying, “The malware called ‘Narilam’ by Symantec was an old malware, previously detected and reported online in 2010 by some other names. This malware has no sign of a major threat, nor a sophisticated piece of computer malware. The sample is not wide spread and is only able to corrupt the database of some of the products by an Iranian software company, those products are accounting software for small businesses. The simple nature of the malware looks more like a try to harm the software company reputation among their customers.”