Content

W32/Fakerr@MM

Type
Virus
SubType
E-mail worm
Discovery Date
07/16/2003
Length
102,400 bytes
Minimum DAT
4267 (05/28/2003)
Updated DAT
4267 (05/28/2003)
Minimum Engine
5.1.00
Description Added
07/16/2003
Description Modified
07/21/2003 9:48 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--Update July 21, 2003--
AVERT has received 5 more variants of this worm. All eight known variants are proactively detected as W32/GenericP2P.worm, and have been since the 4267 DATS for users with the 4.2.40 engine or later. (It has been proactively detected as New Worm with the 4174 DATs or later with the 4.1.60 engine.)
--

--Update July 16, 2003--
The risk assessment of this threat was updated to Low-Profiled due to media attention.
--

To date AVERT has received 8 variants of this virus

This is a mass mailing worm that spreads via mailing itself to addresses in the Outlook address book, and sharing itself over the KaZaa peer-to-peer file sharing network. It modifies various system settings, and attempts to delete system files.

Note: All three variants are proactively detected as W32/GenericP2P.worm, and have been since the 4267 DATS for users with the 4.2.40 engine or later. The 4277 DATs (release date 16th July 2003) will include repair of some of the Registry modifications made by this virus.

(It has been proactively detected as New Worm with the 4174 DATs or later with the 4.1.60 engine.)

Differences between Variants

Messaging

The message sent out to all users in the MS Outlook address book by Variants A, B and D is as follows:

The following is a example of the message generated by Variants C, E, F, G and H:




Registry

The registry keys modified by Variants A, B and D is as follows:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MediaPath"="C:\Proyecto1.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "Rundll32"="C:\Proyecto1.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEX "DevicePath" ="C:\Proyecto1.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SETUP "NetCache"="C:\Proyecto1.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ProxyDevice"="C:\Proyecto1.exe"

The registry keys modified by variant C is a follows:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "MediaPath"="C:\Rundll32.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce "Rundll32"="C:\Rundll32.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnceEX "DevicePath" ="C:\Rundll32.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ SETUP "NetCache"="C:\Rundll32.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ProxyDevice"="C:\Rundll32.exe"

The registry keys modified by variants E, F, G, and H are as follows:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "MediaPath"="C:\Root.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce "Rundll32"="C:\Root.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnceEX "DevicePath" ="C:\Root.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ SETUP "NetCache"="C:\Root.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ProxyDevice"="C:\Root.exe"

The behaviour onwards is common in all variants

When executed, the following fake message box is displayed:

If the 'Send Error' option is selected the virus will begin mailing everyone in the user's Microsoft Outlook address book

If the 'Send and Close' option is selected, the virus will open up multiple 'Control Panel' Windows.

The following message is displayed, and this message cannot be moved or closed.

  • The CD tray is opened.
  • The System Tray disappears.
  • The 'Run' option from the START menu also disappears.
  • The user is unable to see drive C.

    The following files/folders are deleted:

    C:\Autoexec.bat
    C:\Config.sys
    C:\Rundll32.exe
    C:\WINNT\system
    C:\windows\system
    C:\WINNT\system32
    C:\windows\system32
    C:\inetpub\wwwroot - (Variants F,G and H only)

    C:\WINNT\System32\Ntoskrnl.exe
    C:\WINNT\System32\Command.com
    C:\WINNT\Regedit.exe
    C:\Windows\System32\Ntoskrnl.exe
    C:\Windows\System32\Command.com
    C:\Windows\Regedit.exe
    C:\WINNT\System32\*.exe
    C:\WINNT\System32\*.com
    C:\WINNT\System32\*.ocx
    C:\Windows\System32\*.dll
    C:\Windows\System32\*.ocx
    C:\Windows\System32\*.exe
    C:\Windows\System32\*.com
    C:\WINNT\Program Files\Norton AntiVirus\NAVW32.exe - (Variants E, F, G and H only)
    C:\windows\Program Files\Norton AntiVirus\NAVW32.exe - (Variants E, F, G and H only)

    It copies itself as either C:\Rundll32.exe or C:\Root.exe and as the following:

  • C:\windows\Program Files\Kazaa\My Shared Folder\Norton 2003 Pro.exe
  • C:\Winnt\Program Files\Kazaa\My Shared Folder\Norton 2003 Pro.exe
  • C:\windows\Program Files\Kazaa\My Shared Folder\Matrix Reloaded 2 Avi.exe
  • C:\Winnt\Program Files\Kazaa\My Shared Folder\Matrix Reloaded 2 Avi.exe

    On NT4, Windows 2000 and XP systems, the virus makes an additional copy of itself as C:\Winnt\Rundll33.exe.

    The values of the following registry keys are modified:

  • HKEY_CLASSES_ROOT\exefile\shell\open\command
  • HKEY_CLASSES_ROOT\comfile\shell\open\command
  • HKEY_CLASSES_ROOT\batfile\shell\open\command
  • HKEY_CLASSES_ROOT\piffile\shell\open\command
  • HKEY_CLASSES_ROOT\htafile\shell\open\command

    This results in execution of the the virus if any file with extension EXE,BAT,HTA,PIF and COM is executed.

    The window title for Internet Explorer is changed to :

    "kIlLeRgUaTe 1.03, I mAke ThIs vIrUs BeCaUsE I dOn'T hAvE NoThInG tO dO!! "

    The values of the following registry keys are set to 1:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Policies\Explorer "NoDrives"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Policies\Explorer "NoFind"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Policies\Explorer "NoRun"

    The following registry key is also present:

  • HKEY_CURRENT_USER\Software\kIlLeRgUaTe 1.03

      • Symptoms

      • Existence of the filenames and Registry modifications detailed above
      • Display of the dialogs presented above
      • Outgoing mail matching the characteristics described above

      Method of Infection

      The worm installs and propagates from the victim machine when run. It is likely to be received via email, or through the KaZaa P2P file sharing network.

      The worm uses Outlook to mail itself to recipients listed in the Outlook address book.

      Removal

      All Users:
      Use specified engine and DAT files for detection.

      Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

      Additional Windows ME/XP removal considerations

      Variants

      Variants

        N/A

      All Information

      Overview -

      This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

      Aliases

      • W32.Gruel@MM (symantec)
      • WORM_GRUEL (Trend)
      • WORM_GRUEL.A
      • WORM_GRUEL.B
      • WORM_GRUEL.C
      • WORM_GRUEL.D
      • WORM_GRUEL.E
      • WORM_GRUEL.F
      • WORM_GRUEL.G
      • WORM_GRUEL.H

      Characteristics

      Characteristics -

      --Update July 21, 2003--
      AVERT has received 5 more variants of this worm. All eight known variants are proactively detected as W32/GenericP2P.worm, and have been since the 4267 DATS for users with the 4.2.40 engine or later. (It has been proactively detected as New Worm with the 4174 DATs or later with the 4.1.60 engine.)
      --

      --Update July 16, 2003--
      The risk assessment of this threat was updated to Low-Profiled due to media attention.
      --

      To date AVERT has received 8 variants of this virus

      This is a mass mailing worm that spreads via mailing itself to addresses in the Outlook address book, and sharing itself over the KaZaa peer-to-peer file sharing network. It modifies various system settings, and attempts to delete system files.

      Note: All three variants are proactively detected as W32/GenericP2P.worm, and have been since the 4267 DATS for users with the 4.2.40 engine or later. The 4277 DATs (release date 16th July 2003) will include repair of some of the Registry modifications made by this virus.

      (It has been proactively detected as New Worm with the 4174 DATs or later with the 4.1.60 engine.)

      Differences between Variants

      Messaging

      The message sent out to all users in the MS Outlook address book by Variants A, B and D is as follows:

      The following is a example of the message generated by Variants C, E, F, G and H:




      Registry

      The registry keys modified by Variants A, B and D is as follows:

      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MediaPath"="C:\Proyecto1.exe"
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "Rundll32"="C:\Proyecto1.exe"
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEX "DevicePath" ="C:\Proyecto1.exe"
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SETUP "NetCache"="C:\Proyecto1.exe"
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ProxyDevice"="C:\Proyecto1.exe"

      The registry keys modified by variant C is a follows:

      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "MediaPath"="C:\Rundll32.exe"
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce "Rundll32"="C:\Rundll32.exe"
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnceEX "DevicePath" ="C:\Rundll32.exe"
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ SETUP "NetCache"="C:\Rundll32.exe"
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ProxyDevice"="C:\Rundll32.exe"

      The registry keys modified by variants E, F, G, and H are as follows:

      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "MediaPath"="C:\Root.exe"
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce "Rundll32"="C:\Root.exe"
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnceEX "DevicePath" ="C:\Root.exe"
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ SETUP "NetCache"="C:\Root.exe"
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "ProxyDevice"="C:\Root.exe"

      The behaviour onwards is common in all variants

      When executed, the following fake message box is displayed:

      If the 'Send Error' option is selected the virus will begin mailing everyone in the user's Microsoft Outlook address book

      If the 'Send and Close' option is selected, the virus will open up multiple 'Control Panel' Windows.

      The following message is displayed, and this message cannot be moved or closed.

    • The CD tray is opened.
    • The System Tray disappears.
    • The 'Run' option from the START menu also disappears.
    • The user is unable to see drive C.

      The following files/folders are deleted:

      C:\Autoexec.bat
      C:\Config.sys
      C:\Rundll32.exe
      C:\WINNT\system
      C:\windows\system
      C:\WINNT\system32
      C:\windows\system32
      C:\inetpub\wwwroot - (Variants F,G and H only)

      C:\WINNT\System32\Ntoskrnl.exe
      C:\WINNT\System32\Command.com
      C:\WINNT\Regedit.exe
      C:\Windows\System32\Ntoskrnl.exe
      C:\Windows\System32\Command.com
      C:\Windows\Regedit.exe
      C:\WINNT\System32\*.exe
      C:\WINNT\System32\*.com
      C:\WINNT\System32\*.ocx
      C:\Windows\System32\*.dll
      C:\Windows\System32\*.ocx
      C:\Windows\System32\*.exe
      C:\Windows\System32\*.com
      C:\WINNT\Program Files\Norton AntiVirus\NAVW32.exe - (Variants E, F, G and H only)
      C:\windows\Program Files\Norton AntiVirus\NAVW32.exe - (Variants E, F, G and H only)

      It copies itself as either C:\Rundll32.exe or C:\Root.exe and as the following:

    • C:\windows\Program Files\Kazaa\My Shared Folder\Norton 2003 Pro.exe
    • C:\Winnt\Program Files\Kazaa\My Shared Folder\Norton 2003 Pro.exe
    • C:\windows\Program Files\Kazaa\My Shared Folder\Matrix Reloaded 2 Avi.exe
    • C:\Winnt\Program Files\Kazaa\My Shared Folder\Matrix Reloaded 2 Avi.exe

      On NT4, Windows 2000 and XP systems, the virus makes an additional copy of itself as C:\Winnt\Rundll33.exe.

      The values of the following registry keys are modified:

    • HKEY_CLASSES_ROOT\exefile\shell\open\command
    • HKEY_CLASSES_ROOT\comfile\shell\open\command
    • HKEY_CLASSES_ROOT\batfile\shell\open\command
    • HKEY_CLASSES_ROOT\piffile\shell\open\command
    • HKEY_CLASSES_ROOT\htafile\shell\open\command

      This results in execution of the the virus if any file with extension EXE,BAT,HTA,PIF and COM is executed.

      The window title for Internet Explorer is changed to :

      "kIlLeRgUaTe 1.03, I mAke ThIs vIrUs BeCaUsE I dOn'T hAvE NoThInG tO dO!! "

      The values of the following registry keys are set to 1:

      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
        Policies\Explorer "NoDrives"
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
        Policies\Explorer "NoFind"
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
        Policies\Explorer "NoRun"

      The following registry key is also present:

    • HKEY_CURRENT_USER\Software\kIlLeRgUaTe 1.03

        • Symptoms

        Symptoms -

        • Existence of the filenames and Registry modifications detailed above
        • Display of the dialogs presented above
        • Outgoing mail matching the characteristics described above

        Method of Infection

        Method of Infection -

        The worm installs and propagates from the victim machine when run. It is likely to be received via email, or through the KaZaa P2P file sharing network.

        The worm uses Outlook to mail itself to recipients listed in the Outlook address book.

        Removal -

        Removal -

        All Users:
        Use specified engine and DAT files for detection.

        Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

        Additional Windows ME/XP removal considerations

        Variants

        Variants -

          N/A