RSA Admin

Narilam trojan : A New Destructive Malware

Discussion created by RSA Admin Employee on Dec 10, 2012

Yet another attack against Iran, this one primarily targeting the Microsoft SQL Server databases of some financial software. This attack has been named Narilam because one of the financial applications it targets is called Maliran.


McAfee Labs have analyzed several samples of this malware, one of which was about 2MB. From the binaries’ headers, it looks as though this attack has been going on for a while: The Trojan was compiled with Borland C++ in 2010.




One sample, first seen in June 2012, has a timestamp of July 2002.




Although these headers could have been faked, while analyzing the code McAfee found the date April 25, 2010, which leads them to believe that this threat has existed for more than two years.





All the financial and banking software targeted by this malware are products of the Iranian company Tarrah Systems, which issued a warning on its website about W32.Narilam a couple of days ago. The company asked its customers to use the backups of their databases if they are using the targeted products.



While analyzing several similar samples of this malware, it seems this code was written to corrupt and delete databases accessed by these software, thereby causing potential financial losses to users. Possible targets of Narilam are corporations and banks that are likely to have these applications installed.