Recently, The Iranian CERT reported that a new piece of malware targets Iranian computers that capable of wiping the files from the infected computers.
SophosLabs have analyzed the new sample and confirmed that the malware attempt to erase the contents of any files on D, E, F, G, H and I drives.
The malware is distributed as a self-extracting WinRAR archive called GrooveMonitor.exe that drops three executable files: juboot.exe, jucheck.exe and SLEEP.EXE.
The 'justboot.exe' is a DOS BAT file that has been converted to PE format that uses 'SLEEP.exe' to wait for few seconds before it adds a registry entry that ensures that 'jucheck.exe' is executed each time the computer restarted.
The primary function of the malware is wiping the files from hard drive, but it does so only within few specific date ranges, each about two days long.
After deleting the data , the malware runs chkdsk in order to trick the victim into believing that the files have been corrupted because of software or hardware failure.