There is some new malware that appears to try to modify corporate databases especially in the Middle East.
While the malware is also showing up in other parts of the world, W32.Narilam first discovered Nov. 15 follows a similar pattern of other worms by copying itself onto infected machines, adding registry keys and propagating through removable drives and network shares, said researchers at Symantec.
“What is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB. The worm specifically targets SQL databases with three distinct names: alim, maliran, and shahd,” wrote Symantec security researcher Shunichi Imano in a blog post.
Once Narilam finds the targeted databases, it looks for financial terms such as “BankCheck,” “A_sellers” and “buyername” and Persian terms like “Pasandaz” (“Savings”) and “Vamghest” (“Instant Loans”). The malware also deletes tables with the following names: A_Sellers, person and Kalamast.
“The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database,” Imano said. “Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations.
The overall infection rate is low at the moment, but those whose networks do not have the proper protection could see business disrupted, Imano said.
“Unless appropriate backups are in place, the affected database will be difficult to restore. The affected organization will likely suffer significant disruption and even financial loss while restoring the database,” he said. “As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”