Home / malware Worm:Win32/Gorhev.A
First posted on 11 August 2012.
Source: MicrosoftAliases :
Worm:Win32/Gorhev.A is also known as Win32/Xema.worm.49152.AX (AhnLab), W32/Worm.XWC (Command), Worm.Win32.VB.ot (Kaspersky), W32/VBWorm.QOL (Norman), Worm.VB!qceXaSBr/Kw (VirusBuster), Worm/VB.DNQ (AVG), Win32.HLLW.Autoruner.6402 (Dr.Web), Win32/AutoRun.VB.AGM worm (ESET), W32/Autorun.worm.h (Microsoft), TROJ_REGRUN.AL (Trend Micro).
Explanation :
Worm:Win32/Gorhev.A is a worm that spreads via removable drives. It deletes certain file types, as well as those that have certain words in their names.
Installation
Worm:Win32/Gorhev.A copies itself in the %windir% folder using a random file name. It modifies the system registry so that it automatically runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe %windir%\<malware file name>.exe"
Spreads via...
Removable drives
Worm:Win32/Gorhev.A drops a copy of itself in the root folder of all removable drives. Its copy has a random file name. It also drops a file named "autorun.inf", which alows its copy to automatically run if the computer has Autorun enabled.
Payload
Deletes files
Worm:Win32/Gorhev.A continuously scans the "Documents and settings" folder to delete files with the following extensions:
- .3gp
- .avi
- .bmp
- .dat
- .gif
- .jpg
- .mp4
- .mpg
- .wmv
It also deletes files that contain the following words in its name:
- anal
- f<removed>ck
- guy
- sexy
Analysis by Daniel Radu
Last update 11 August 2012
