Symantec is warning of a new bit of malware that appears to be modifying corporate databases, particularly in the Middle East, though its showing up elsewhere in the world too.
W32.Narilam, first discovered Nov. 15, follows a similar pattern of other worms by copying itself onto infected machines, adding registry keys and propogating through removable drives and network shares. “What is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB. The worm specifically targets SQL databases with three distinct names: alim, maliran, and shahd,” wrote Symantec security researcher Shunichi Imano in a blog post.
Once Narilam finds the targeted databases, it looks for financial terms such as “BankCheck,” “A_sellers” and “buyername” and Persian terms like “Pasandaz” (“Savings”) and “Vamghest” (“Instant Loans”). The malware also deletes tables with the following names: A_Sellers, person and Kalamast.
“The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database,” Imano wrote. “Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations.
The overall infection rate is low at the moment, but those whose networks are not properly protected could see business disrupted, Imano said.
“Unless appropriate backups are in place, the affected database will be difficult to restore. The affected organization will likely suffer significant disruption and even financial loss while restoring the database. As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”