Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Graps


Aliases:


Graps
Worm.Win32.Graps, W32/Graps.worm, W32.HLLW.Graps

Malware

W32

Summary

Graps worm was discovered in the beginning of July 2003. This worm spreads in local networks. It scans a network for vulnerable computers and tries to get access the IPC$ and ADMIN$ shares by performing a dictionary attack (using a set of pre-defined weak passwords to get access). If the worm succeeds, it copies itself to remote computer, activates its file and deletes IPC$ and ADMIN$ shares.



Disinfection & Removal

To disinfect a system it's enough to delete mwd.exe file and 3 above mentioned batch files from a hard disk.



Technical Details

The worm is a 53kb Windows PE executable file written in Visual Basic and compressed with UPX file compressor. The worm spreads itself with the help of the following files:

psexec.exe - a utility that allows to run processes on remote computers
 mswinsck.ocx - standard WinSock library for VB applications
 wds.bat  \
 wds2.bat  - batch files that spread the worm to remote computers (dropped by the worm)
 wds3.bat /
 mwd.exe - the worm's executable file

The batch scripts that the worm drop are used to get access to IPC$ and ADMIN$ share protected by a weak password or no password at all. When such a share is discovered, the scripts copy the worm's main file mwd.exe and also psexec.exe and mswinsck.ocx files to \ADMIN$\System32\ folder (which is a Windows System folder on a remote computer) and start the worm's file remotely with psexec.exe utility. As a result a remote computer becomes infected with the worm. After spreading the worm tries to delete IPC$ and ADMIN$ shares.

On an infected computer the worm creates a startup key for its file in System Registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "Windows Management Instumentation" = "%winsysdir%\mwd.exe"

The worm has a few additional features. It listens to the specific port and can allow remote hackers to log into it and perform the following actions:

- perform DoS (Denial of Service) attack
 - get system information
 - search for specified files on a hard disk
 - redirect traffic (works as a proxy)
 - scan for open ports



Detection

Detection for Graps worm is available since the following FSAV updates:

Detection Type: PC
Database: 2003-07-08_03



Description Created: F-Secure Anti-Virus Research Team; F-Secure Corp.; July 8th, 2003



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.