Skip to main content

Symantec discovers new malware destroying Iranian data

Symantec has discovered a new piece of malware that is mainly attacking Iranian businesses.

The worm, called W32.Narilam, infiltrates, modifies and destroys financial data in Microsoft SQL databases. It has affected a large number of Symantec's Iranian business clients, but has also been detected in the UK and US.

It searches for specific words in a database, such as "Holiday," "BankCheck" and "REFcheck," and either deletes them or replaces them with random terms.

According to a blog post by Symantec's Shunichi Imano, Narilam is designed to disrupt, not steal, data.

Narilam does not currently pose a threat to home users, since the type of database it targets is one usually employed by businesses, Imano said.

"The affected organization will likely suffer significant disruption and even financial loss while restoring the database," wrote Imano. "As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them."

"Symantec users with the latest definitions are protected from W32.Narilam; however, we strongly recommend that important databases be backed up regularly," he continued.

Narilam is said to share some similarities with Stuxnet, the malware that attacked Iran and disrupted its nuclear program.