Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Worm:W32/Gurong.A


Discovered:
Aliases:


March 21, 2006
Email-Worm.Win32.Gurong.a

Malware
WormEmail-Worm
W32

Summary

A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Worm:W32/Gurong.A worm in e-mails and in Kazaa shared folders. It has a rootkit functionality.This worm appeared on the 21st of March 2006.


Installation

After the worm's file is run, it copies itself to the Windows System folder as wmedia16.exe and creates a startup key value for this file in the registry.


Rootkit

The worm is able to hide the following items:

  • Processes
  • Files
  • Registry keys and values

When the worm is active, it hides its own process, file and launch point in the registry.The worm installs a call gate through \Device\PhysicalMemory to execute part of its code in kernel mode (ring 0). The kernel-mode code replaces the following function pointers from the system service table:

  • NtClose
  • NtCreateFile
  • NtEnumerateKey
  • NtEnumerateValueKey
  • NtOpenFile
  • NtQueryDirectoryFile

This allows it to hide files, registry keys and values. In addition, the worm is able to modify kernel-mode process structures to hide any process it specifies.


Propagation (E-mail)

Before spreading, the worm looks for e-mail addresses in the victim's Windows Address Book (WAB) file and also in files with the following extensions:

  • adb
  • asp
  • dbx
  • htm
  • php
  • pl
  • sht
  • tbb
  • txt
  • wab

The worm ignores e-mail addresses that contains any of the following substrings:

  • .aero
  • .gov
  • .mil
  • accoun
  • AccountRobot
  • acketst
  • admin
  • alert
  • anyone
  • arin.
  • avp
  • berkeley
  • borlan
  • bsd
  • bsd
  • bugs
  • ca
  • certific
  • contact
  • example
  • feste
  • fethard
  • fido
  • foo.
  • fraud
  • fsf.
  • gnu
  • gold-certs
  • google
  • google
  • gov.
  • help
  • hotmail
  • iana
  • ibm.com
  • icrosof
  • icrosoft
  • ietf
  • info
  • inpris
  • isc.o
  • isi.e
  • kernel
  • linux
  • linux
  • listserv
  • math
  • me
  • mit.e
  • mozilla
  • msn.
  • mydomai
  • no
  • nobody
  • nodomai
  • noone
  • not
  • nothing
  • ntivi
  • page
  • panda
  • pgp
  • postmaster
  • privacy
  • rating
  • rfc-ed
  • ripe.
  • root
  • ruslis
  • samples
  • secur
  • sendmail
  • service
  • site
  • soft
  • somebody
  • someone
  • sopho
  • submit
  • support
  • syma
  • tanford.e
  • the.bat
  • unix
  • unix
  • usenet
  • utgers.ed
  • webmaster
  • webmoney
  • you
  • your

The worm then constructs the e-mail message used to deliver the worm's file by using the following "building blocks". The subject of the message can be one of the following:

  • Greetings!
  • Hello friend ;)
  • Hey dear!
  • Re: Hello
  • Re: I got it! Try it now!
  • Re[2]: wazzup bro
  • Wazzap bro!!

The body text can be one of the following:

  • Greetings! Check out my portfolio, please! Here is some my photos in the archive.
  • Greetings. Here is some my nude photos in the attachment.
  • Hello bro! Here is my new girlfriend's photo! Check it out!
  • Hello buddy! Take a look at attachment! Here is my nude 17-yr sister!
  • Hello! Here is NEW smiles pack for MSN messenger! It is really cool ;)
  • Hello! I sent you new skype plug-in, as you wished.
  • Hello! There is NEW plug-in for MSN. Try it out!
  • Hey bro! Check out attachment! There is a new plug-in for skype!
  • Hey dear! Here is my photos, as I promised.
  • Hey friend! Try this new smiles pack for MSN messenger!
  • Hey man! Take a look at attachment!
  • Whatz up man! There is my nude 17-yr sister in the attachment!'

The infected attachment name can be any of the following:

  • body
  • conf_data
  • doc
  • document
  • i_love_u
  • i_luv_u
  • port_imgs
  • sex_girls
  • sex_pics

Infected attachments can have the following extensions:

  • bat
  • cmd
  • exe
  • pif
  • scr

The worm spoofs (fakes) the sender's e-mail address. The following user names are used to compose the fake sender's address:

  • adam
  • alex
  • alexey
  • alice
  • andrew
  • anna
  • bob
  • boris
  • brenda
  • brent
  • brian
  • claudia
  • craig
  • cyber
  • dan
  • dave
  • david
  • debby
  • den
  • dmitry
  • frank
  • george
  • gerhard
  • helen
  • ilya
  • james
  • jane
  • jayson
  • jerry
  • jim
  • jimmy
  • joe
  • john
  • jose
  • julie
  • kevin
  • lee
  • leo
  • linda
  • linda
  • maria
  • marina
  • mary
  • matt
  • michael
  • mike
  • nikolay
  • olga
  • peter
  • ray
  • robert
  • sam
  • sandra
  • serg
  • smith
  • steve
  • tom
  • vlad
  • vladimir

The following domain names are used to compose the fake sender's address:

  • aol.com
  • earthlink.net
  • hotmail.com
  • msn.com
  • yahoo.com

Propagation (File sharing)

The worm copies itself to the shared folder of the peer-to-peer Kazaa client, with the following names:

  • 0day_patch
  • dcom_patches
  • icq5
  • lsas_patches
  • msblast_patches
  • office_crack
  • skype_video
  • strip-girl4.0c
  • trillian_crack_all
  • winamp5
  • xp_activation

The extensions of the copied files are randomly selected from the following variants:

  • bat
  • exe
  • pif
  • scr

Registry Modifications

Creates these keys:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "WMedia16" = "%WinSysDir%\wmedia16.exe"


Detection

F-Secure Anti-Virus detects this malware with the following update:
Database: 2006-03-21_03





Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.