A computer virus that in April this year erased hard disks and shut down systems in an attack on Iran's Oil Ministry bears some resemblance to the nation-state sponsored Duqu and Stuxnet malware, according to anti-virus firm Kaspersky Labs.
On its SecureList blog, Kaspersky Labs noted that the Wiper virus used file names common to Duqu and Stuxnet, and speculated that due to this, the three destructive computer programs were related.
Although the actual provenance of the malware was yet to be fully ascertained, Kaspersky believed Stuxnet and Duqu to be the work of a government.
The International Telecommunications Union (ITU) asked Kaspersky Labs to analyse the Iranian attacks and work out extent of the damage.
However, Kaspersky had not received any Wiper virus samples, and as the malware used an elaborate and effective technique to erase the hard drives on which it resided, "almost nothing was left" after its activation.
However. by sifting through the remains of data on the wiped disks, Kaspersky Labs recovered a copy of the Windows Registry system settings database. In the Registry hive, Kaspersky discovered a service that created file names, similar in naming format to those written by the Duqu malware.
Wiper isn't related to Flame, another malware discovered by Kaspersky that spread in Middle Eastern countries, but mostly in Iran.
Flame could record sound, keyboard strokes and network traffic, and also take screenshots. It would also attempt to grab information from nearby Bluetooth enabled devices.
Flame was wiped from the infected systems by its controllers, wiping all traces of it.
Kaspersky Labs said there is no doubt that Wiper existed, attacking computers in Iran and maybe elsewhere in the world.
However, "the malware was so well written that once it was activated, no data survived," the firm said.
Due to this, Wiper remains unknown and Kaspersky has been unable to create detection for it.