Skip to main content

Graps

Classification

Category:Malware
Type:-
Platform:-
Aliases:

Graps, Worm.Win32.Graps, W32/Graps.worm, W32.HLLW.Graps

Summary

Graps worm was discovered in the beginning of July 2003. This worm spreads in local networks. It scans a network for vulnerable computers and tries to get access the IPC$ and ADMIN$ shares by performing a dictionary attack (using a set of pre-defined weak passwords to get access). If the worm succeeds, it copies itself to remote computer, activates its file and deletes IPC$ and ADMIN$ shares.

Removal

To disinfect a system it's enough to delete mwd.exe file and 3 above mentioned batch files from a hard disk.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm is a 53kb Windows PE executable file written in Visual Basic and compressed with UPX file compressor. The worm spreads itself with the help of the following files:

 psexec.exe - a utility that allows to run processes on remote computers mswinsck.ocx - standard WinSock library for VB applications wds.bat \ wds2.bat - batch files that spread the worm to remote computers (dropped by the worm) wds3.bat / mwd.exe - the worm's executable file

The batch scripts that the worm drop are used to get access to IPC$ and ADMIN$ share protected by a weak password or no password at all. When such a share is discovered, the scripts copy the worm's main file mwd.exe and also psexec.exe and mswinsck.ocx files to \ADMIN$\System32\ folder (which is a Windows System folder on a remote computer) and start the worm's file remotely with psexec.exe utility. As a result a remote computer becomes infected with the worm. After spreading the worm tries to delete IPC$ and ADMIN$ shares.

On an infected computer the worm creates a startup key for its file in System Registry:

 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Windows Management Instumentation" = "%winsysdir%\mwd.exe"

The worm has a few additional features. It listens to the specific port and can allow remote hackers to log into it and perform the following actions:

 - perform DoS (Denial of Service) attack - get system information - search for specified files on a hard disk - redirect traffic (works as a proxy) - scan for open ports

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.