Worm:W32/Gurong.A worm in e-mails and in Kazaa shared folders. It has a rootkit functionality.
This worm appeared on the 21st of March 2006.
After the worm's file is run, it copies itself to the Windows System folder as wmedia16.exe and creates a startup key value for this file in the registry.
The worm is able to hide the following items:
- Registry keys and values
When the worm is active, it hides its own process, file and launch point in the registry.
The worm installs a call gate through \Device\PhysicalMemory to execute part of its code in kernel mode (ring 0). The kernel-mode code replaces the following function pointers from the system service table:
This allows it to hide files, registry keys and values. In addition, the worm is able to modify kernel-mode process structures to hide any process it specifies.
Before spreading, the worm looks for e-mail addresses in the victim's Windows Address Book (WAB) file and also in files with the following extensions:
The worm ignores e-mail addresses that contains any of the following substrings:
The worm then constructs the e-mail message used to deliver the worm's file by using the following "building blocks". The subject of the message can be one of the following:
- Hello friend ;)
- Hey dear!
- Re: Hello
- Re: I got it! Try it now!
- Re: wazzup bro
- Wazzap bro!!
The body text can be one of the following:
- Greetings! Check out my portfolio, please! Here is some my photos in the archive.
- Greetings. Here is some my nude photos in the attachment.
- Hello bro! Here is my new girlfriend's photo! Check it out!
- Hello buddy! Take a look at attachment! Here is my nude 17-yr sister!
- Hello! Here is NEW smiles pack for MSN messenger! It is really cool ;)
- Hello! I sent you new skype plug-in, as you wished.
- Hello! There is NEW plug-in for MSN. Try it out!
- Hey bro! Check out attachment! There is a new plug-in for skype!
- Hey dear! Here is my photos, as I promised.
- Hey friend! Try this new smiles pack for MSN messenger!
- Hey man! Take a look at attachment!
- Whatz up man! There is my nude 17-yr sister in the attachment!'
The infected attachment name can be any of the following:
Infected attachments can have the following extensions:
The worm spoofs (fakes) the sender's e-mail address. The following user names are used to compose the fake sender's address:
The following domain names are used to compose the fake sender's address:
Propagation (File sharing)
The worm copies itself to the shared folder of the peer-to-peer Kazaa client, with the following names:
The extensions of the copied files are randomly selected from the following variants:
F-Secure Anti-Virus detects this malware with the following update: