Symantec’s database wrecking malware is no Stuxnet, says Iran CERT

Kaspersky protects super spy cyber weapon turf.

Image credit:

A piece of malware that Symantec warned could cause "chaos" to businesses in Iran is not a major threat, according to Iran CERT, Maher, and Russian security outfit Kaspersky Lab.

Symantec last week loosely compared what it thought was a newly discovered database wrecking worm, which it named Narilam, to the more powerful Stuxnet, Flamer and Distrack (Shamoon). Symantec warned businesses in the middle east to backup their databases or risk significant disruption from the effects of the malware.

The worm seeks to manipulate certain tables in SQL databases but not steal information and was said by Symantec to have been written in the Delphi programming language.

Some subsequent media reports that suggested Narilam and Stuxnet were related prompted a clarification from Iran’s Maher on Sunday:

“The malware called "narilam" by Symantec was an old malware, previously detected and reported online in 2010 by some other names. This malware has no sign of a major threat, nor a sophisticated piece of computer malware. The sample is not wide spread and is only able to corrupt the database of some of the products by an Iranian software company, those products are accounting software for small businesses. The simple nature of the malware looks more like a try to harm the software company reputation among their customers.”

According to Kaspersky Lab, the software company likely to be the target is an Iranian firm “TarrahSystem”, which sells three software packages by the names maliran, shahd and amin -- the database names that Symantec reported the malware specifically targeted.

On Monday an alert was published on warning of the W32.Narilam threat to its customers.

“Could it be that “Narilam” targets these 3 products from TarrahSystem? Unfortunately, we do not have these three programs to check, but it’s quite likely,” Kaspersky’s threat team said.

Kaspersky Lab took issue with reports based on Symantec’s claim that Narilam was built using Delphi.

“We’ve analysed the sample and found no obvious connection with these. Duqu, Stuxnet, Flame and Gauss have all been compiled with versions of Microsoft Visual C, while Narilam was built with Borland C++ Builder 6 (and not Delphi, as other articles seem to suggest), a completely different programming tool.”

The Russian company added that the database destroyer is currently almost “extinct”.

“During the past month, we have observed just six instances of this threat,” it said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags symanteckasperskyIran CERT

More about Borland AustraliaCERT AustraliaKasperskyKasperskyMicrosoftSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts