Destructive malware attacking Iranian computers

A simple batch-file malware converted to a binary executable is reported to be attacking computers in Iran, wiping files on specific dates.

According to security firm Kaspersky, the Iranian equivalent to the Computer Emergency Response Team (CERT), the Maher Centre, reported the malware on Sunday, identifying it as Groovemonitor.exe and four other executable files.

No details as to how the malware spreads or its possible provenance were given.

Kaspersky researcher Roel Schouwenberg called the malware "as basic as it gets", adding that "if it [were] effective, that doesn't matter."

Schouwenberg said that the malware comprises Windows batch files that have been put through a software tool to turn them into Windows Portable Executable format programs.

The malware is set to trigger on dates in 2012, 2013 and 2014 and when it does, it attempts to delete all files on drives D: through to I:, Michael Mimoso of Kaspersky's Threatpost blog writes.

Due to the malware author using old code aimed at 16-bit computers, one file in the malware won't run on machines running 64-bit variants of the Windows operating system.

Kaspersky researchers said the new malware doesn't appear to have anything in common with previous file-deleting attacks, such as Shamoon that wiped some 30,000 workstations at Saudi Arabia's Aramco oil producing facility recently.