W32.Narilam

Posted: November 16, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	2/10
Infected PCs:	86

First Seen:	November 16, 2012
OS(es) Affected:	Windows

Following close on the heels of industrial saboteurs like Stuxnet and the Flame Virus, W32.Narilam is a worm that's designed to destroy sensitive financial information by replacing specific database entries with random data and deleting some types of tables (based on their names). Unlike most PC threats that target financial institutions, W32.Narilam doesn't appear to have any functions that would allow W32.Narilam to steal information, although this deficiency scarcely makes W32.Narilam less of a threat than a typical spyware program. Backing up your business information will allow you to restore information that's lost from W32.Narilam's attacks, and SpywareRemove.com malware researchers especially recommend using anti-malware programs to remove W32.Narilam (which bears the hallmarks of sophisticated and well-funded Trojan design) from your computer.

How to Keep W32.Narilam from Wriggling Its Way to Your Computer

Speculation by various authorities in the PC security industry has led to estimates of W32.Narilam being designed by a government-funded team of coders for the purpose of damaging Iranian government and business financial operations. While this may or may not be the case, SpywareRemove.com malware experts have noted the many similarities between W32.Narilam and other well-designed malware such as Flame and Stuxnet that were built to compromise industrial and government targets.

Foremost among these similarities, W32.Narilam's method of distributing itself uses the standard worm tactic of creating hidden copies in removable drives – such as USB devices. These copies are installed to any new computer to which the infected device is introduced, and SpywareRemove.com malware researchers recommend avoiding any sharing of removable HD devices until you're certain that you've eliminated a W32.Narilam infection.

W32.Narilam can afflict most versions of Windows and is, unsurprisingly, targeted mainly at Iran. However, small numbers of W32.Narilam infections also have been seen in the United States.

The Holes that W32.Narilam Burrows Through Your Data

W32.Narilam, in a callback to the earliest designs of malware, is built for destructive purposes rather than profitable ones – instead of stealing personal information, W32.Narilam sets out to destroy it by deleting values or replacing them with random numbers. SpywareRemove.com malware experts have found that W32.Narilam's functions are heavily based on identifying targets by text strings and names, such as the following:

Tables with the names 'A_Sellers,' 'Kalamast' and 'person' may be deleted entirely.
The following list also notes some of the values that W32.Narilam may change at random: 'A_TranSanj.Tranid,' 'Asnad.FirstNo,' 'Asnad.LastNo,' 'Asnad.SanadNo,' 'bankcheck.state,' 'buyername.Buyername,' 'End_Hesab.Az,' 'Kalabuy.Serial,' 'Kalasales.Serial,' 'Pasandaz.Code' and 'sath.lengths.'

Restoring information attacked by W32.Narilam may be impossible unless you have appropriate backups. Because W32.Narilam was detected only late in November 2012, SpywareRemove.com malware research team recommends that you have your anti-malware scanners updated before you scan your computer to delete W32.Narilam. Like all sophisticated PC threats, W32.Narilam shouldn't be deleted manually if safer solutions are available.

W32.Narilam

Threat Metric

How to Keep W32.Narilam from Wriggling Its Way to Your Computer

The Holes that W32.Narilam Burrows Through Your Data

Leave a Reply