Trojan-Proxy:W32/Grum.A
| Name : | Trojan-Proxy:W32/Grum.A |
| Category: | Malware |
| Type: | Trojan-Proxy |
| Platform: | W32 |
| Date of Discovery: | March 29, 2007 |
Summary
Trojan-Proxy:W32/Grum.A is malware that is spammed as a link to supposed Internet Explorer downloads.
Disinfection
Detection and Disinfection of Rootkits
If the rootkit is not detected or it is hidden so that FSAV cannot detect its file, it is still possible to detect the malicious activity by scanning the system with generic rootkit scanner, such as F-Secure BlackLight. More information about F-Secure BlackLight Rootkit Elimination Technology can be found here:
http://www.f-secure.com/blacklight/
The BlackLight utility is also able to disinfect computers that are infected by rootkits.
Automatic Disinfection
Usually viruses infecting boot and executable files are automatically disinfected by F-Secure Anti-Virus (FSAV). In some cases, when automatic disinfection is not possible due to file corruption or overwriting virus, a user can select disinfection action by themselves to make FSAV rename or delete an infected file. In some special cases, it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our web or ftp sites:
http://www.f-secure.com/download-purchase/tools.shtml
ftp://ftp.f-secure.com/anti-virus/tools/
F-Secure Anti-Virus can be purchased from our web shop or from our authorized distributors. A trial version F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website:
http://www.f-secure.com/download-purchase/
All the latest versions of FSAV can download anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp sites:
http://www.f-secure.com/download-purchase/updates.shtml
Manual Disinfection
It is not recommended to manually disinfect files and boot sectors from viruses as it can cause damage to a system and make it unbootable.
System Restore issue and file viruses
If Windows ME or XP is used, it is recommended to disable System Restore feature of these operating systems to prevent a computer from re-infection by an already removed malware. The fact is that System Restore feature of these operating systems might save an infected file into the special folder and copies it back to a hard drive every time it has been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore feature are here:
Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml
Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml
It is recommended to re-enable System Restore after disinfection in order to restore stable system configuration if any crash or incompatibility issue occurs in the future.
If the rootkit is not detected or it is hidden so that FSAV cannot detect its file, it is still possible to detect the malicious activity by scanning the system with generic rootkit scanner, such as F-Secure BlackLight. More information about F-Secure BlackLight Rootkit Elimination Technology can be found here:
http://www.f-secure.com/blacklight/
The BlackLight utility is also able to disinfect computers that are infected by rootkits.
Automatic Disinfection
Usually viruses infecting boot and executable files are automatically disinfected by F-Secure Anti-Virus (FSAV). In some cases, when automatic disinfection is not possible due to file corruption or overwriting virus, a user can select disinfection action by themselves to make FSAV rename or delete an infected file. In some special cases, it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our web or ftp sites:
http://www.f-secure.com/download-purchase/tools.shtml
ftp://ftp.f-secure.com/anti-virus/tools/
F-Secure Anti-Virus can be purchased from our web shop or from our authorized distributors. A trial version F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website:
http://www.f-secure.com/download-purchase/
All the latest versions of FSAV can download anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp sites:
http://www.f-secure.com/download-purchase/updates.shtml
Manual Disinfection
It is not recommended to manually disinfect files and boot sectors from viruses as it can cause damage to a system and make it unbootable.
System Restore issue and file viruses
If Windows ME or XP is used, it is recommended to disable System Restore feature of these operating systems to prevent a computer from re-infection by an already removed malware. The fact is that System Restore feature of these operating systems might save an infected file into the special folder and copies it back to a hard drive every time it has been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore feature are here:
Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml
Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml
It is recommended to re-enable System Restore after disinfection in order to restore stable system configuration if any crash or incompatibility issue occurs in the future.
Additional Details
Trojan-Proxy:W32/Grum.A may arrive in the system as spam e-mail containing an image that links to the real malware.
Here the image associated with the spam:
Click here for details about spam on our weblog.
This malware is hosted in the following links:
Upon execution of Trojan-Proxy:W32/Grum.A it creates a copy of itself in the following path and filename:
Trojan-Proxy:W32/Grum.A uses the following batch file created on the same directory where the malware was to delete the executed copy of itself:
To enable automatic execution upon system boot, it adds the following auto start registry:
Note: %temp% is the temporary windows folder
Trojan-Proxy:W32/Grum.A is a kernel malware that hooks several ntdll APIs to hide its file and process.
Trojan-Proxy:W32/Grum.A serves as a proxy server that communicates to the following address:
Commands from the server may include downloading of files and spamming mails.
Here the image associated with the spam:
Click here for details about spam on our weblog.
This malware is hosted in the following links:
• http://tvz-archive.com/I[REMOVED}.exe
• http://abnoba.net/I[REMOVED]0.exe
Upon execution of Trojan-Proxy:W32/Grum.A it creates a copy of itself in the following path and filename:
• %temp%\winlogon.exe
Trojan-Proxy:W32/Grum.A uses the following batch file created on the same directory where the malware was to delete the executed copy of itself:
• sys.bat
To enable automatic execution upon system boot, it adds the following auto start registry:
• HKCU\\Software\Microsoft\Windows\CurrentVersion\Run
Firewall auto setup = %temp%\winlogon.exe
Firewall auto setup = %temp%\winlogon.exe
Note: %temp% is the temporary windows folder
Trojan-Proxy:W32/Grum.A is a kernel malware that hooks several ntdll APIs to hide its file and process.
Trojan-Proxy:W32/Grum.A serves as a proxy server that communicates to the following address:
• 72.232.49.214
Commands from the server may include downloading of files and spamming mails.