Iran plays down Narilam worm threat

By on
Iran plays down Narilam worm threat

Malware sabotages business databases.

Iranian authorities have played down the impact of the Narilam worm discovered sabotaging business databases within systems located in the Middle East.

The Maher cyber security centre said in a translated statement Narilam affected a limited number of products owned by an Iranian software company reported to be TarrahSystem.

"The Iranian national Cert announces that the initial investigations shows some misunderstanding about the recent malware," the translated statement read.

"This malware has no sign [that it is] a major threat, nor a sophisticated piece of computer malware. The sample is not wide spread and is only able to corrupt the database of some of the products by an Iranian software company."

Symantec researchers found instances of the Narilam worm modifying and deleting data stored in Microsoft SQL databases. It did not steal data.

Narilam primarily targeted Windows-based databases used by Iranian organisations for customer management and accounting. Instances of the worm were thought to have begun spreading since 2009.

Symantec principal security response manager Vikram Thakur told SC Narilam did not look like a creation of nation-state attackers. 

"On a technical level, Narilam is very straightforward," Thakur said.

Narilam infections were thought to be in the hundreds and an even smaller number of cases have popped up in the US and Britain over the last couple of months.

Restoring assets was challenging given the malware's ability to sabotage systems. More than 97 percent of victims were business users, Symantec's said.

Kaspersky  also confirmed the research.

"Considering compilation timestamps and early reports, Narilam is a rather old threat that was probably deployed during late 2009 and mid-2010," it wrote in a blog.

"Its purpose was to corrupt databases of three financial applications from [an Iranian company named] TarrahSystem, namely Maliran, Amin and Shahd. Several variants appear to have been created, but all of them have the same functionality and method of replication."

Over the past month, Kaspersky detected six cases of the threat.

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?