Win32.Gruel.A(B,C)@mm( W32.Gruel@mm (Symantec) | W32/Gruel-A (Sophos) )
SINTOMAS: C:\\Rundll32.exe [HKCU\\Software\\kIlLeRgUaTe 1.03] with the registry entries: FirstRun, Password, AppPath, [HKCU\\Software\\VB and VBA Program Settings\\KILLERGUATE\\KILLERGUATE] with the registry entries: st, start, now, reg, alt [HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\] \"MediaPath\"=\"C:\\Rundll32.exe\" [HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\] \"Rundll32\"=\"C:\\Rundll32.exe\" [HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEX\\] \"DevicePath\"=\"C:\\Rundll32.exe\" [HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SETUP\\] \"NetCache\"=\"C:\\Rundll32.exe\" [HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\] \"ProxyDevice\"=\"C:\\Rundll32.exe\" [HKCU\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\] \"Window Title\"=\"kIlLeRgUaTe 1.03, I mAke ThIs vIrUs BeCaUsE I dOn\'T hAvE NoThInG tO dO!!\" It also sets the next registry entries: [HKCR\\exefile\\shell\\open\\] \"command\"=\"%VIRUS% %1 [HKCR\\comfile\\shell\\open\\] \"command\"=\"%VIRUS% %1 [HKCR\\batfile\\shell\\open\\] \"command\"=\"%VIRUS% %1 [HKCR\\piffile\\shell\\open\\] \"command\"=\"%VIRUS% %1 [HKCR\\htafile\\shell\\open\\] \"command\"=\"%VIRUS% %1 [HKCR\\htfile\\shell\\open\\] \"command\"=\"%VIRUS% %1 where %VIRUS% is the full path and name of the infected file (eg: C:\\My Documents\\Tool.exe) DESCRIPCIÓN TÉCNICA: The virus arrives as an email with the following characteristics:Version A@mm Subject: Symantec: New serious virus Body: Norton Security Response: has detected a new virus in the Internet. For this reason we made this tool attachement, to protect your computer from this serious virus. Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 5 (Maximum ). Attachment: Symantec_Norton_Tool.exe Version B@mm Subject: Microsoft Windows Critical Update Body: Critical Update: The Microsoft Windows updates found on this patch include fixes to following Windows operating systems: Any update that is critical to the operation of your computer is considered a Critical Update, and is automatically selected for installation during the scan for available updates. This patch is provided to help resolve known issues, and to protect your computer from known security vulnerabilities and all kinds of viruses. Whether a patch applies to your operating system, software programs, or hardware, it is listed in the Critical Updates category, like this patch attached. For Support please contact us at support@microsoft.com Attachment: AntiVirus_Patch.exe Version C@mm Subject: Microsoft Windows Critical Update Body: Critical Update: The Microsoft Windows updates found on this patch include fixes to following Windows operating systems: Any update that is critical to the operation of your computer is considered a Critical Update, and is automatically selected for installation during the scan for available updates. This patch is provided to help resolve known issues, and to protect your computer from known security vulnerabilities and all kinds of viruses. Whether a patch applies to your operating system, software programs, or hardware, it is listed in the Critical Updates category, like this patch attached. For Support please contact us at support@microsoft.com Attachment: Windows Critical Update 088562.exe Once the attachment has been run, the virus will do the following:
It may also attempt to delete various files and subfolders from Windows folder (eg: C:\\WINDOWS\\SYSTEM\\*.DLL, *.EXE, C:\\WINDOWS\\SYSTEM\\PRECOPY\\*.CAB, C:\\WINDOWS\\SYSTEM32\\DRIVERS\\*.SYS and even the whole folder C:\\WINDOWS\\SYSTEM32) INSTRUCCIONES DE LIMPIEZA: BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.
ANALIZADO POR: Patrick VicolBitDefender Virus Researcher |
