Home / malwarePDF  

Win32.Gruel.A(B,C)@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Gruel.A(B,C)@mm is also known as W32.Gruel@mm, (Symantec.

Explanation :

The virus arrives as an email with the following characteristics:

Version A@mm
Subject: Symantec: New serious virus
Body: Norton Security Response: has detected a new virus in the Internet. For this reason we made this tool attachement, to protect your computer from this serious virus. Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 5 (Maximum ).
Attachment: Symantec_Norton_Tool.exe

Version B@mm
Subject: Microsoft Windows Critical Update
Body: Critical Update: The Microsoft Windows updates found on this patch include fixes to following Windows operating systems: Any update that is critical to the operation of your computer is considered a Critical Update, and is automatically selected for installation during the scan for available updates. This patch is provided to help resolve known issues, and to protect your computer from known security vulnerabilities and all kinds of viruses. Whether a patch applies to your operating system, software programs, or hardware, it is listed in the Critical Updates category, like this patch attached. For Support please contact us at support@microsoft.com
Attachment: AntiVirus_Patch.exe

Version C@mm
Subject: Microsoft Windows Critical Update
Body: Critical Update: The Microsoft Windows updates found on this patch include fixes to following Windows operating systems: Any update that is critical to the operation of your computer is considered a Critical Update, and is automatically selected for installation during the scan for available updates. This patch is provided to help resolve known issues, and to protect your computer from known security vulnerabilities and all kinds of viruses. Whether a patch applies to your operating system, software programs, or hardware, it is listed in the Critical Updates category, like this patch attached. For Support please contact us at support@microsoft.com
Attachment: Windows Critical Update 088562.exe

Once the attachment has been run, the virus will do the following:

Copies itself as C:Rundll32.exe;
Creates / modifies the aforementioned registry keys;

Attempts to place copies of itself as :
Version A@mm:
C:windowsProgram FilesKazaaMy Shared FolderNorton 2003 Pro.exe
C:WINNTProgram FilesKazaaMy Shared FolderNorton 2003 Pro.exe
Versions B@mm and C@mm:
C:windowsProgram FilesKazaaMy Shared FolderWindows XP KeyGen 2.5.exe
C:WINNTProgram FilesKazaa\My Shared FolderWindows XP KeyGen 2.5.exe

Send copies of itself to all e-mail addresses in Outlook database (see model above);
Attempts to delete various files that match (depending on host OS):

C:AUTOEXEC.bat
C:config.sys
%WINDOWS%system32*.dll
%WINDOWS%system32*.exe
%WINDOWS%system32*.com
%WINDOWS%system32*.ocx
%WINDOWS%system32
toskrnl.exe
%WINDOWS%system32command.com
%WINDOWS%
egedit.exe

where %WINDOWS% points to Windows folder (or Winnt).

It may also attempt to delete various files and subfolders from Windows folder
(eg: C:WINDOWSSYSTEM*.DLL, *.EXE, C:WINDOWSSYSTEMPRECOPY*.CAB, C:WINDOWSSYSTEM32DRIVERS*.SYS and even the whole folder C:WINDOWSSYSTEM32)

Next, the virus displays this window:



and after clicking on [Send and Close] the virus will do the following:

open the CD-ROM tray;
disable System Tray and Taskbar;
open many Control Panel windows;
hide one or more of the drives (C, D, etc.)

Next, it displays this window:



After a while, it will display this message before restarting :

Windows has encountered a problem a needs to close. We are sorry for the inconvenience.

At this moment, the infected system may be missing critical files and may not load/restart.

Last update 21 November 2011

 

TOP