Details on Narilam were published last week by Symantec. While Symantec does not specifically connect this malware to the cyberweapons Stuxnet and Flame, it does nevertheless make the comparison: “All of these threats can badly disrupt the activities of those affected.” Like Stuxnet, Shamoon and Flame, Narilam seems to primarily target Iran.
Symantec makes the point that Narilam is fairly standard malware, “even written using Delphi,” but that “what is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB.” Narilam is designed to destroy rather than steal data from databases named alim, maliran, and shahd: it replaces some data with random values and destroys other tables.
The databases concerned are unlikely to be found on home computers. Narilam is thus targeted malware specifically aimed at Iranian corporations. It can be seen as a cyberweapon, but without the sophistication of the Stuxnet family. Nevertheless, it has the potential to cause serious damage to companies without adequate backups. “Unless appropriate backups are in place,” warns Symantec, “the affected database will be difficult to restore. The affected organization will likely suffer significant disruption and even financial loss while restoring the database. As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”
Maher, the Iranian national CERT, is less concerned, suggesting it was 'previously detected and reported online in 2010.' “This malware has no sign of a major threat, nor a sophisticated piece of computer malware. The sample is not widespread and is only able to corrupt the database of some of the products by an Iranian software company.” In fact, Maher suggests that it is an attack on the reputation of that software company rather than a serious threat to the Iranian infrastructure. “This is not a threat for general users and need no special care. Only the customers of those accounting software could make backup of their database and scan their system by updated antivirus products,” it suggests.