Home Malware Programs Worms W32.Narilam

W32.Narilam

Posted: November 16, 2012

Threat Metric

Threat Level: 2/10
Infected PCs: 86
First Seen: November 16, 2012
OS(es) Affected: Windows

Following close on the heels of industrial saboteurs like Stuxnet and the Flame Virus, W32.Narilam is a worm that's designed to destroy sensitive financial information by replacing specific database entries with random data and deleting some types of tables (based on their names). Unlike most PC threats that target financial institutions, W32.Narilam doesn't appear to have any functions that would allow W32.Narilam to steal information, although this deficiency scarcely makes W32.Narilam less of a threat than a typical spyware program. Backing up your business information will allow you to restore information that's lost from W32.Narilam's attacks, and SpywareRemove.com malware researchers especially recommend using anti-malware programs to remove W32.Narilam (which bears the hallmarks of sophisticated and well-funded Trojan design) from your computer.

How to Keep W32.Narilam from Wriggling Its Way to Your Computer

Speculation by various authorities in the PC security industry has led to estimates of W32.Narilam being designed by a government-funded team of coders for the purpose of damaging Iranian government and business financial operations. While this may or may not be the case, SpywareRemove.com malware experts have noted the many similarities between W32.Narilam and other well-designed malware such as Flame and Stuxnet that were built to compromise industrial and government targets.

Foremost among these similarities, W32.Narilam's method of distributing itself uses the standard worm tactic of creating hidden copies in removable drives – such as USB devices. These copies are installed to any new computer to which the infected device is introduced, and SpywareRemove.com malware researchers recommend avoiding any sharing of removable HD devices until you're certain that you've eliminated a W32.Narilam infection.

W32.Narilam can afflict most versions of Windows and is, unsurprisingly, targeted mainly at Iran. However, small numbers of W32.Narilam infections also have been seen in the United States.

The Holes that W32.Narilam Burrows Through Your Data

W32.Narilam, in a callback to the earliest designs of malware, is built for destructive purposes rather than profitable ones – instead of stealing personal information, W32.Narilam sets out to destroy it by deleting values or replacing them with random numbers. SpywareRemove.com malware experts have found that W32.Narilam's functions are heavily based on identifying targets by text strings and names, such as the following:

  • Tables with the names 'A_Sellers,' 'Kalamast' and 'person' may be deleted entirely.
  • The following list also notes some of the values that W32.Narilam may change at random: 'A_TranSanj.Tranid,' 'Asnad.FirstNo,' 'Asnad.LastNo,' 'Asnad.SanadNo,' 'bankcheck.state,' 'buyername.Buyername,' 'End_Hesab.Az,' 'Kalabuy.Serial,' 'Kalasales.Serial,' 'Pasandaz.Code' and 'sath.lengths.'

Restoring information attacked by W32.Narilam may be impossible unless you have appropriate backups. Because W32.Narilam was detected only late in November 2012, SpywareRemove.com malware research team recommends that you have your anti-malware scanners updated before you scan your computer to delete W32.Narilam. Like all sophisticated PC threats, W32.Narilam shouldn't be deleted manually if safer solutions are available.

Loading...