My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Gruel.A(B,C)@mm

LOW
HIGH
102,400 bytes
(W32.Gruel@mm (Symantec) | W32/Gruel-A (Sophos))

Symptoms

  • Presence of file:
    C:\Rundll32.exe


  • Presence of any of the next registry keys:
    [HKCU\Software\kIlLeRgUaTe 1.03]
    with the registry entries: FirstRun, Password, AppPath,

    [HKCU\Software\VB and VBA Program Settings\KILLERGUATE\KILLERGUATE]
    with the registry entries: st, start, now, reg, alt

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
    "MediaPath"="C:\Rundll32.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\]
    "Rundll32"="C:\Rundll32.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEX\]
    "DevicePath"="C:\Rundll32.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SETUP\]
    "NetCache"="C:\Rundll32.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\]
    "ProxyDevice"="C:\Rundll32.exe"

    [HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\]
    "Window Title"="kIlLeRgUaTe 1.03, I mAke ThIs vIrUs BeCaUsE I dOn'T hAvE NoThInG tO dO!!"

    It also sets the next registry entries:

    [HKCR\exefile\shell\open\]
    "command"="%VIRUS% %1

    [HKCR\comfile\shell\open\]
    "command"="%VIRUS% %1

    [HKCR\batfile\shell\open\]
    "command"="%VIRUS% %1

    [HKCR\piffile\shell\open\]
    "command"="%VIRUS% %1

    [HKCR\htafile\shell\open\]
    "command"="%VIRUS% %1

    [HKCR\htfile\shell\open\]
    "command"="%VIRUS% %1

    where %VIRUS% is the full path and name of the infected file (eg: C:\My Documents\Tool.exe)
  • Removal instructions:

    BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.

    1. If you don't have BitDefender installed click here to download an evaluation version;

    2. Make sure that you have the latest updates using BitDefender Live!;

    3. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;

      2. Delete the afore mentioned registry keys.

    4. Reboot the computer;

    5. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Gruel@mm.

    Analyzed By

    Patrick Vicol BitDefender Virus Researcher

    Technical Description:

    The virus arrives as an email with the following characteristics:

    Version A@mm
    Subject: Symantec: New serious virus
    Body: Norton Security Response: has detected a new virus in the Internet. For this reason we made this tool attachement, to protect your computer from this serious virus. Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 5 (Maximum ).
    Attachment: Symantec_Norton_Tool.exe

    Version B@mm
    Subject: Microsoft Windows Critical Update
    Body: Critical Update: The Microsoft Windows updates found on this patch include fixes to following Windows operating systems: Any update that is critical to the operation of your computer is considered a Critical Update, and is automatically selected for installation during the scan for available updates. This patch is provided to help resolve known issues, and to protect your computer from known security vulnerabilities and all kinds of viruses. Whether a patch applies to your operating system, software programs, or hardware, it is listed in the Critical Updates category, like this patch attached. For Support please contact us at support@microsoft.com
    Attachment: AntiVirus_Patch.exe

    Version C@mm
    Subject: Microsoft Windows Critical Update
    Body: Critical Update: The Microsoft Windows updates found on this patch include fixes to following Windows operating systems: Any update that is critical to the operation of your computer is considered a Critical Update, and is automatically selected for installation during the scan for available updates. This patch is provided to help resolve known issues, and to protect your computer from known security vulnerabilities and all kinds of viruses. Whether a patch applies to your operating system, software programs, or hardware, it is listed in the Critical Updates category, like this patch attached. For Support please contact us at support@microsoft.com
    Attachment: Windows Critical Update 088562.exe

    Once the attachment has been run, the virus will do the following:

    1. Copies itself as C:\Rundll32.exe;

    2. Creates / modifies the aforementioned registry keys;


    3. Attempts to place copies of itself as :
      Version A@mm:
      C:\windows\Program Files\Kazaa\My Shared Folder\Norton 2003 Pro.exe
      C:\WINNT\Program Files\Kazaa\My Shared Folder\Norton 2003 Pro.exe
      Versions B@mm and C@mm:
      C:\windows\Program Files\Kazaa\My Shared Folder\Windows XP KeyGen 2.5.exe
      C:\WINNT\Program Files\Kazaa\\My Shared Folder\Windows XP KeyGen 2.5.exe

    4. Send copies of itself to all e-mail addresses in Outlook database (see model above);

    5. Attempts to delete various files that match (depending on host OS):

      C:\AUTOEXEC.bat
      C:\config.sys
      %WINDOWS%\system32\*.dll
      %WINDOWS%\system32\*.exe
      %WINDOWS%\system32\*.com
      %WINDOWS%\system32\*.ocx
      %WINDOWS%\system32\ntoskrnl.exe
      %WINDOWS%\system32\command.com
      %WINDOWS%\regedit.exe

      where %WINDOWS% points to Windows folder (or Winnt).


    6. It may also attempt to delete various files and subfolders from Windows folder
      (eg: C:\WINDOWS\SYSTEM\*.DLL, *.EXE, C:\WINDOWS\SYSTEM\PRECOPY\*.CAB, C:\WINDOWS\SYSTEM32\DRIVERS\*.SYS and even the whole folder C:\WINDOWS\SYSTEM32)

    7. Next, the virus displays this window:



      and after clicking on [Send and Close] the virus will do the following:

      • open the CD-ROM tray;

      • disable System Tray and Taskbar;

      • open many Control Panel windows;

      • hide one or more of the drives (C, D, etc.)


    8. Next, it displays this window:



      After a while, it will display this message before restarting :

      Windows has encountered a problem a needs to close. We are sorry for the inconvenience.

      At this moment, the infected system may be missing critical files and may not load/restart.