Connect with us

Hi, what are you looking for?


Malware & Threats

Iran: Narilam Malware Not a Major Threat

Officials on Iran’s computer emergency response team poured cold water on alerts about a strain of malware security researchers have warned is infecting databases throughout the country.

Officials on Iran’s computer emergency response team poured cold water on alerts about a strain of malware security researchers have warned is infecting databases throughout the country.

Last week, Symantec released a detailed analysis about a piece malware known as Narilam, which has primarily been targeting users in the Middle East though a small number of infections have been detected in the United States and the U.K. According to the company, the majority of the victims are corporate users.

Though the report received media coverage, authorities in Iran pointed out the malware is old and declared that it is not a threat for most users.

“The malware called “narilam” by Symantec was an old malware, previously detected and reported online in 2010 by some other names,” according to a translation of a statement from Iran-CERT. “This malware has no sign of a major threat, nor a sophisticated piece of computer malware. The sample is not wide spread and is only able to corrupt the database of some of the products by an Iranian software company, those products are accounting software for small businesses. The simple nature of the malware looks more like a try to harm the software company reputation among their customers.”

Advertisement. Scroll to continue reading.

According to an analysis by Kaspersky Lab, Narilam was probably deployed during late 2009 and mid-2010.

“Its purpose was to corrupt databases of three financial applications from TarrahSystem, namely Maliran, Amin and Shahd,” Kaspersky Lab noted. “Several variants appear to have been created, but all of them have the same functionality and method of replication.Reports from Kaspersky Security Network indicate that the malware was found mostly in Iran (~60%) and Afghanistan (~40%).”

“At the moment, we do not see any direct connection with other recent destructive malware (such as Shamoon or Wiper). Unlike Duqu or Flame, there is no apparent cyberespionage function,” the analysis continued. “The malware is currently almost extinct – during the past month, we have observed just six instances of this threat.”

Symantec itself classified the threat as ‘low’ in terms of the distribution. Written in Delphi, the malware copies itself to the infected machine, adds registry keys and spreads through removable drives and network shares. What is more unique about it is that it has functionality to update a Microsoft SQL database provided it is accessible by Object Linking and Embedding Database (OLEDB), and specifically targets SQL databases with three distinct names: alim, maliran, and shahd.

 “The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database,” according to Symantec. “Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations.”

“Unless appropriate backups are in place, the affected database will be difficult to restore,” Symantec warned. “The affected organization will likely suffer significant disruption and even financial loss while restoring the database. As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...