Summary

Worm:W32/Gurong.A worm in e-mails and in Kazaa shared folders. It has a rootkit functionality.This worm appeared on the 21st of March 2006.

Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Installation

After the worm's file is run, it copies itself to the Windows System folder as wmedia16.exe and creates a startup key value for this file in the registry.

Rootkit

The worm is able to hide the following items:

• Processes
• Files
• Registry keys and values

When the worm is active, it hides its own process, file and launch point in the registry.The worm installs a call gate through \Device\PhysicalMemory to execute part of its code in kernel mode (ring 0). The kernel-mode code replaces the following function pointers from the system service table:

• NtClose
• NtCreateFile
• NtEnumerateKey
• NtEnumerateValueKey
• NtOpenFile
• NtQueryDirectoryFile

This allows it to hide files, registry keys and values. In addition, the worm is able to modify kernel-mode process structures to hide any process it specifies.

Propagation (E-mail)

Before spreading, the worm looks for e-mail addresses in the victim's Windows Address Book (WAB) file and also in files with the following extensions:

• adb
• asp
• dbx
• htm
• php
• pl
• sht
• tbb
• txt
• wab

The worm ignores e-mail addresses that contains any of the following substrings:

• .aero
• .gov
• .mil
• accoun
• AccountRobot
• acketst
• admin
• alert
• anyone
• arin.
• avp
• berkeley
• borlan
• bsd
• bsd
• bugs
• ca
• certific
• contact
• example
• feste
• fethard
• fido
• foo.
• fraud
• fsf.
• gnu
• gold-certs
• google
• google
• gov.
• help
• hotmail
• iana
• ibm.com
• icrosof
• icrosoft
• ietf
• info
• inpris
• isc.o
• isi.e
• kernel
• linux
• linux
• listserv
• math
• me
• mit.e
• mozilla
• msn.
• mydomai
• no
• nobody
• nodomai
• noone
• not
• nothing
• ntivi
• page
• panda
• pgp
• postmaster
• privacy
• rating
• rfc-ed
• ripe.
• root
• ruslis
• samples
• secur
• sendmail
• service
• site
• soft
• somebody
• someone
• sopho
• submit
• support
• syma
• tanford.e
• the.bat
• unix
• unix
• usenet
• utgers.ed
• webmaster
• webmoney
• you
• your

The worm then constructs the e-mail message used to deliver the worm's file by using the following "building blocks". The subject of the message can be one of the following:

• Greetings!
• Hello friend ;)
• Hey dear!
• Re: Hello
• Re: I got it! Try it now!
• Re[2]: wazzup bro
• Wazzap bro!!

The body text can be one of the following:

• Greetings! Check out my portfolio, please! Here is some my photos in the archive.
• Greetings. Here is some my nude photos in the attachment.
• Hello bro! Here is my new girlfriend's photo! Check it out!
• Hello buddy! Take a look at attachment! Here is my nude 17-yr sister!
• Hello! Here is NEW smiles pack for MSN messenger! It is really cool ;)
• Hello! I sent you new skype plug-in, as you wished.
• Hello! There is NEW plug-in for MSN. Try it out!
• Hey bro! Check out attachment! There is a new plug-in for skype!
• Hey dear! Here is my photos, as I promised.
• Hey friend! Try this new smiles pack for MSN messenger!
• Hey man! Take a look at attachment!
• Whatz up man! There is my nude 17-yr sister in the attachment!'

The infected attachment name can be any of the following:

• body
• conf_data
• doc
• document
• i_love_u
• i_luv_u
• port_imgs
• sex_girls
• sex_pics

Infected attachments can have the following extensions:

• bat
• cmd
• exe
• pif
• scr

The worm spoofs (fakes) the sender's e-mail address. The following user names are used to compose the fake sender's address:

• adam
• alex
• alexey
• alice
• andrew
• anna
• bob
• boris
• brenda
• brent
• brian
• claudia
• craig
• cyber
• dan
• dave
• david
• debby
• den
• dmitry
• frank
• george
• gerhard
• helen
• ilya
• james
• jane
• jayson
• jerry
• jim
• jimmy
• joe
• john
• jose
• julie
• kevin
• lee
• leo
• linda
• linda
• maria
• marina
• mary
• matt
• michael
• mike
• nikolay
• olga
• peter
• ray
• robert
• sam
• sandra
• serg
• smith
• steve
• tom
• vlad
• vladimir

The following domain names are used to compose the fake sender's address:

• aol.com
• earthlink.net
• hotmail.com
• msn.com
• yahoo.com

Propagation (File sharing)

The worm copies itself to the shared folder of the peer-to-peer Kazaa client, with the following names:

• 0day_patch
• dcom_patches
• icq5
• lsas_patches
• msblast_patches
• office_crack
• skype_video
• strip-girl4.0c
• trillian_crack_all
• winamp5
• xp_activation

The extensions of the copied files are randomly selected from the following variants:

• bat
• exe
• pif
• scr

Registry Modifications

Creates these keys:

• [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "WMedia16" = "%WinSysDir%\wmedia16.exe"

Detection

F-Secure Anti-Virus detects this malware with the following update:
Database:2006-03-21_03