{
	"id": "d78fe241-1a57-4cdd-9707-b3619f7c8ba6",
	"created_at": "2026-04-06T00:11:17.684349Z",
	"updated_at": "2026-04-10T03:21:30.126116Z",
	"deleted_at": null,
	"sha1_hash": "798bf7121f2276a156f8beb509d7e604d2eb28e5",
	"title": "Shamoon the Wiper - Copycats at Work",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85964,
	"plain_text": "Shamoon the Wiper - Copycats at Work\r\nBy GReAT\r\nPublished: 2012-08-16 · Archived: 2026-04-05 22:26:05 UTC\r\nEarlier today, we received an interesting collection of samples from colleagues at another anti-malware company.\r\nThe samples are especially interesting because they contain a module with the following string:\r\nC:ShamoonArabianGulfwiperreleasewiper.pdb\r\nOf course, the ‘wiper’ reference immediately reminds us of the Iranian computer-wiping incidents from April\r\n2012 that led to the discovery of Flame.\r\nThe malware is a 900KB PE file that contains a number of encrypted resources:\r\nThe resources 112, 113 and 116 are encrypted using a 4 byte XOR operation. They keys for decryption, including\r\nanother resource from one of the binaries are:\r\n{0x25, 0x7f, 0x5d, 0xfb}\r\n{0x17, 0xd4, 0xba, 0x00}\r\n{0x5c, 0xc2, 0x1a, 0xbb}\r\n{0x15, 0xaf, 0x52, 0xf0}\r\nThe malware appears to be collecting information about ?interesting files on the infected system:\r\ndir “C:Documents and Settings” /s /b /a:-D 2\u003enul | findstr -i download 2\u003enul \u003ef1.inf\r\ndir “C:Documents and Settings” /s /b /a:-D 2\u003enul | findstr -i document 2\u003enul \u003e\u003ef1.inf\r\ndir C:Users /s /b /a:-D 2\u003enul | findstr -i download 2\u003enul \u003e\u003ef1.inf\r\nhttps://securelist.com/shamoon-the-wiper-copycats-at-work/\r\nPage 1 of 4\n\ndir C:Users /s /b /a:-D 2\u003enul | findstr -i document 2\u003enul \u003e\u003ef1.inf\r\ndir C:Users /s /b /a:-D 2\u003enul | findstr -i picture 2\u003enul \u003e\u003ef1.inf\r\ndir C:Users /s /b /a:-D 2\u003enul | findstr -i video 2\u003enul \u003e\u003ef1.inf\r\ndir C:Users /s /b /a:-D 2\u003enul | findstr -i music 2\u003enul \u003e\u003ef1.inf\r\ndir “C:Documents and Settings” /s /b /a:-D 2\u003enul | findstr -i desktop 2\u003enul \u003ef2.inf\r\ndir C:Users /s /b /a:-D 2\u003enul | findstr -i desktop 2\u003enul \u003e\u003ef2.inf\r\ndir C:WindowsSystem32Drivers /s /b /a:-D 2\u003enul \u003e\u003ef2.inf\r\ndir C:WindowsSystem32Config /s /b /a:-D 2\u003enul | findstr -v -i systemprofile 2\u003enul \u003e\u003ef2.inf\r\ndir f1.inf /s /b 2\u003enul \u003e\u003ef1.inf\r\ndir f2.inf /s /b 2\u003enul \u003e\u003ef1.inf\r\nInside resource 112, another resource (101) exists which contains a signed disk driver:\r\nhttps://securelist.com/shamoon-the-wiper-copycats-at-work/\r\nPage 2 of 4\n\nThe disk driver itself does not appear to be malicious. However, it is used for raw disk access by the malware\r\ncomponents to wipe the MBR of infected systems.\r\nInterestingly, the driver is signed by EldoS Corporation, a company that has a mission to ?Help people feel\r\nconfident about integrity and security of valuable information, according to their website.\r\nAlso:\r\nEldoS Corporation is an international company specializing in development of security-related software\r\ncomponents for corporate market and individual software developers.\r\nOf course, one big question emerges: ?Is this the malware known as Wiper, that attacked Iran in April 2012?\r\nOur opinion, based on researching several systems attacked by the original Wiper, is that it is not. The\r\noriginal ?Wiper was using certain service names (?RAHD…) together with specific filenames for its\r\ndrivers (?%temp%~dxxx.tmp) which do not appear to be present in this malware. Additionally, the\r\noriginal Wiper was using a certain pattern to wipe disks which again is not used by this malware.\r\nhttps://securelist.com/shamoon-the-wiper-copycats-at-work/\r\nPage 3 of 4\n\nIt is more likely that this is a copycat, the work of a script kiddies inspired by the story. Nowadays, destructive\r\nmalware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very\r\noften.\r\nWe detect the 32 bit components of the malware as Trojan.Win32.EraseMBR.a. The 64 bit component is detected\r\nas Trojan.Win64.EraseMBR.a. We proactively detected the main dropper by heuristics as\r\n“HEUR:Trojan.Win32.Generic”\r\nPS: We are not yet sure of the meaning of ?Shamoon. It could be a reference to the Shamoon College of\r\nEngineering http://www.sce.ac.il/eng/. Or, it could simply be the name of one of the malware authors. Shamoon is\r\nthe equivalent of Simon in Arabic.\r\nUpdate(17 Aug 2012): Our friends from Seculert have posted their own analysis of the Shamoon attack. They\r\nsuggest it is a two stage attack, with lateral movement.\r\nUpdate(17 Aug 2012): During the past 24 hours, we have collected telemetry from our users on\r\nTrojan.Win32.EraseMBR.a sightings. So far, there are only two reports, both from China, which appear to be\r\nsecurity researchers. So we can conclude that the malware is not widespread and it was probably only used in very\r\nfocused targeted attacks.\r\nSource: https://securelist.com/shamoon-the-wiper-copycats-at-work/\r\nhttps://securelist.com/shamoon-the-wiper-copycats-at-work/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/shamoon-the-wiper-copycats-at-work/"
	],
	"report_names": [
		"shamoon-the-wiper-copycats-at-work"
	],
	"threat_actors": [],
	"ts_created_at": 1775434277,
	"ts_updated_at": 1775791290,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/798bf7121f2276a156f8beb509d7e604d2eb28e5.pdf",
		"text": "https://archive.orkl.eu/798bf7121f2276a156f8beb509d7e604d2eb28e5.txt",
		"img": "https://archive.orkl.eu/798bf7121f2276a156f8beb509d7e604d2eb28e5.jpg"
	}
}