Worm:W32/Gurong.A worm in e-mails and in Kazaa shared folders. It has a rootkit functionality.This worm appeared on the 21st of March 2006.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
After the worm's file is run, it copies itself to the Windows System folder as wmedia16.exe and creates a startup key value for this file in the registry.
The worm is able to hide the following items:
When the worm is active, it hides its own process, file and launch point in the registry.The worm installs a call gate through \Device\PhysicalMemory to execute part of its code in kernel mode (ring 0). The kernel-mode code replaces the following function pointers from the system service table:
This allows it to hide files, registry keys and values. In addition, the worm is able to modify kernel-mode process structures to hide any process it specifies.
Before spreading, the worm looks for e-mail addresses in the victim's Windows Address Book (WAB) file and also in files with the following extensions:
The worm ignores e-mail addresses that contains any of the following substrings:
The worm then constructs the e-mail message used to deliver the worm's file by using the following "building blocks". The subject of the message can be one of the following:
The body text can be one of the following:
The infected attachment name can be any of the following:
Infected attachments can have the following extensions:
The worm spoofs (fakes) the sender's e-mail address. The following user names are used to compose the fake sender's address:
The following domain names are used to compose the fake sender's address:
The worm copies itself to the shared folder of the peer-to-peer Kazaa client, with the following names:
The extensions of the copied files are randomly selected from the following variants:
Creates these keys:
F-Secure Anti-Virus detects this malware with the following update: