'Shamoon' Malware May Be Flame 'Copycat'

Security researchers have identified a virus that can steal data from a targeted machine and then rewrite over the master boot record of a computer to make it inoperable.

Called Shamoon, the targeted malware is suspected to be involved in an online attack of Saudi Aramco, a Saudi Arabian oil company, last Wednesday.

The virus has been named Shammon by researchers after an associated file: C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb.

According to researchers at security firm Symantec, an individual infected with the virus may notice some irregularities before the system is forced to reboot.

"They will start to see strange things happen, since a lot of the files on their computer have been rewritten," said Kevin Haley, director of Symantec Security Response, to "You may see error messages, and parts of the files on the computer will be rewritten to the point that the machine will fail to work at all."

According to a company blog post, the malware has three distinct components: a "dropper" agent, which is the main agent that initially infects the system; a "wiper" component, which is involved with deleting data necessary for a system to properly function; and a "reporter" module, which sends back targeted information from an infected system back to the attacker.

While the dropper and reporter components are typically associated with targeted malware, the wiper component is somewhat unique to this type of attack. However, it is not unheard of, as a wiper component was also a part of the Flame virus that hit targeted companies in the Middle East this past May.

However, security firm Kaspersky Labs said it doesn't believe that Shamoon is being launched as a weapon by another nation, as rumored to be the case with Flame.  
"It is more likely that [Shamoon] is a copycat, the work of a script kiddies inspired by the [Flame] story," said Kaspersky in a blog post.

While the malware may only be the work of a copycat, Symantec said it believes that other energy-related companies in the Middle East may be targeted next. However, information from firms investigating the malware, including Symantec and Kaspersky Lab, have not given any clue as to what kind of information is being relayed back to the attacker.

Due to the highly targeted nature of the virus, the vast majority of users are not in harm's way of Shamoon. However, security firms are reminding enterprises to keep all security software up to date and to apply any OS security updates in a timely manner.  

About the Author

Chris Paoli is the site producer for and


  • Azure Backup for SQL Server 2008 Available at Preview Stage

    Microsoft added the option of using the Azure Backup service to provide recovery support for SQL Server 2008 and SQL Server 2008 R2 when those workloads are hosted on Azure virtual machines.

  • Microsoft Suggests Disabling Old Protocols with Exchange Server 2019

    Exchange Server 2019 with Cumulative Update 2 (CU2) can help organizations rid themselves of old authentication protocols, which constitute a potential security risk.

  • Microsoft Previews New Edge Browser on Windows 7 and Windows 8.1

    Microsoft announced this week that it has released previews of its Chromium-based Microsoft Edge Web browsers for use on Windows 7, Windows 8 and Windows 8.1 systems.

  • Exchange Server June Cumulative Updates Arrive, But with Red Tape

    Microsoft released its quarterly cumulative updates (CUs) for Exchange Server 2013, 2016 and 2019 products this week, but added an extra step for IT pros to consider before installing them.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.