McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Beglur.b (AVP)

• W32.Gluber.B@mm (Symantec)

• W32/Capush.B@mm (F-Secure)

• Win32.Bugler.B (CA)

• WORM_GLUBER.B (Trend)

Characteristics

This threat is considered to be a Low-Profiled risk due to media attention at: http://www.chron.com/cs/CDA/ssistory.mpl/business/2328449

This mass-mailing worm contains a remote access component, that allows a remote attacker to carry out tasks on an infected system.  The worm spreads via email and accessible network shares.

Email propagation
The worm harvests email addresses from an infected system, by parsing files with the following extensions:

• .VCF   
• .ODS   
• .NCH   
• .TBB   
• .MMF   
• .MBX   
• .DBX   
• .ASP   
• .JSE   
• .EML   
• .HTML  
• .HTM   
• .MHT  
• .TXT 

The worm contains its own SMTP engine, and sends infected email messages via the SMTP server specified in the Internet Account Manager.  Those messages are sent as follows:

Subject: (one of the following)

• nice job!  
• oh wow 
• Too easy   
• Spend Money
• Update 
• Your resume
• you are!   
• great! 
• Re: plz!   
• Need help! 
• Buy 1 Free 2   
• hello  
• Warning!   
• News!  
• Bussiness  
• Hack me!   
• Report!
• Free porn! 
• Bad news!  
• Hi!

Body: (one of the following)

• A message you have received has been converte to an attachment. I sorry cause that problem.
• Hello friend,
  I have a problem here. I have encrypt the file that contain my message problem. The password is 'helpx'. Plz reply back!
• Oh my god! It's that you! Helo! Helo! So, this is gift for christmas day!
  
  Orlian Jieg
• For the truth of love! I have suprise to you! Please baby forgive me!
  
  Ronn Elika
• Hey! It's that what you want! I hope so! Check the file first then reply back if you have problem!
  By
  Alex Pravoks

Attachment: (one of the following)

• problem
• help
• multi
• computers  
• magazine   
• image  
• pictures   
• fees   
• request
• brand  
• collection 
• credit 
• card   
• text   
• music  
• video  
• news   
• document   
• logfile
• quiz   
• readme
• setup

(followed by one of the following extensions)

• .bat   
• .com   
• .exe   
• .pif   
• .scr

System modifications
When the attachment is run, the worm copies itself to the WINDOWS SYSTEM (%SysDir%) directory as djfgucxr.exe .  On Windows9x/ME a SYSTEM.INI key is created to load the worm at startup:

• shell = Explorer.exe djfgucxr.exe

On WindowsNT/2K/XP this equates to a registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe djfgucxr.exe

Remote access payload
The worm lists on a random TCP port, allowing for a remote attacker to take control over the infected system.  Once in control, the attacker can perform several actions:

• Create, rename, and delete directories
• Copy, move, delete, and execute files
• Run shell commands
• Shutdown the system
• Kill running processes

Process terminating payload
When instructed to do so, the worm can terminate the following running processes:

• pad
• task   
• tool   
• monitor
• scan   
• spy
• view   
• Registry   
• hack   
• anti   
• viru   
• McAfee 
• Vir
• Anti   
• AV 
• Norton
• _AVP32.EXE
• _AVPCC.EXE
• _AVPM.EXE
• ACKWIN32.EXE
• ANTI-TROJAN.EXE
• APVXDWIN.EXE
• AUTODOWN.EXE
• AVCONSOL.EXE
• AVE32.EXE
• AVGCTRL.EXE
• AVGSERV9.EXE
• AVKSERV.EXE
• AVP.EXE
• AVP32.EXE
• AVPCC.EXE
• AVPDOS32.EXE
• AVPM.EXE
• AVPMON.EXE
• AVPNT.EXE
• AVPTC32.EXE
• AVPUPD.EXE
• AVSCHED32.EXE
• AVWIN95.EXE
• AVWUPD32.EXE
• BLACKD.EXE
• BLACKICE.EXE
• CCAPP.EXE
• CCEVTMGR.EXE
• CFIADMIN.EXE
• CFIAUDIT.EXE
• CFIND.EXE
• CLAW95.EXE
• CLAW95CT.EXE
• CLEANER.EXE
• CLEANER3.EXE
• CMD.EXE
• COMMAND.COM
• DV95.EXE
• DV95_O.EXE
• DVP95.EXE
• ECENGINE.EXE
• EFINET32.EXE
• ESAFE.EXE
• ESPWATCH.EXE
• F-AGNT95.EXE
• FINDVIRU.EXE
• FIXBUG.EXE
• FIXBUGB.EXE
• FPROT.EXE
• F-PROT.EXE
• F-PROT95.EXE
• FP-WIN.EXE
• FRW.EXE
• F-STOPW.EXE
• HH.EXE
• IAMAPP.EXE
• IAMSERV.EXE
• IBMASN.EXE
• IBMAVSP.EXE
• ICLOAD95.EXE
• ICLOADNT.EXE
• ICMOON.EXE
• ICSSUPPNT.EXE
• ICSUPP95.EXE
• IFACE.EXE
• IOMON98.EXE
• JED.EXE
• LOCKDOWN2000.EXE
• LOOKOUT.EXE
• LUALL.EXE
• LUCOMSERVER.EXE
• MOOLIVE.EXE
• MPFTRAY.EXE
• N32SCAN.EXE
• NAVAPW32.EXE
• NAVLU32.EXE
• NAVNT.EXE
• NAVSCHED.EXE
• NAVW.EXE
• NAVW32.EXE
• NAVWNT.EXE
• NISUM.EXE
• NMAIN.EXE
• NORMIST.EXE
• Norton
• NOTEPAD.EXE
• NUPGRADE.EXE
• NVC95.EXE
• OUTPOST.EXE
• PADMIN.EXE
• PAVCL.EXE
• PCCWIN98.EXE
• PCFWALLICON.EXE
• PERSFW.EXE
• RAV7.EXE
• RAV7WIN.EXE
• REGEDIT.COM
• REGEDIT.EXE
• RESCUE.EXE
• RSTRUI.EXE
• RULAUNCH.EXE
• SAFEWEB.EXE
• SCAN32.EXE
• SCAN95.EXE
• SCANPM.EXE
• SCRSCAN.EXE
• SERV95.EXE
• SMC.EXE
• SPHINX.EXE
• STIMON.EXE
• SWEEP95.EXE
• TASKMGR.EXE
• TBSCAN.EXE
• TCA.EXE
• TDS2-98.EXE
• TDS2-NT.EXE
• VET95.EXE
• VETTRAY.EXE
• VSECOMR.EXE
• VSHWIN32.EXE
• VSSCAN40.EXE
• VSSTAT.EXE
• WEBSCAN.EXE
• WEBSCANX.EXE
• WFINDV32.EXE
• ZONEALARM.EXE

Network share propagation
The worm copies itself to accessible network shares using random file names of repeated letters followed by .bat, .com,.exe, .pif, .scr .

• GGGG.com
• KKKKKK.pif
• FFFFFF.exe
• MMMMMM.pif
• HHHHHH.exe
• AAAAAA.pif

Symptoms

• Presence of strange files using a single letter repeated for a name
• Presence of the file djfgucxr.exe
• Unexpected termination of security software

Method of Infection

This worm spreads via email, and network shares.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Beglur.b (AVP)

• W32.Gluber.B@mm (Symantec)

• W32/Capush.B@mm (F-Secure)

• Win32.Bugler.B (CA)

• WORM_GLUBER.B (Trend)

Characteristics

Characteristics -

This threat is considered to be a Low-Profiled risk due to media attention at: http://www.chron.com/cs/CDA/ssistory.mpl/business/2328449

This mass-mailing worm contains a remote access component, that allows a remote attacker to carry out tasks on an infected system.  The worm spreads via email and accessible network shares.

Email propagation
The worm harvests email addresses from an infected system, by parsing files with the following extensions:

• .VCF   
• .ODS   
• .NCH   
• .TBB   
• .MMF   
• .MBX   
• .DBX   
• .ASP   
• .JSE   
• .EML   
• .HTML  
• .HTM   
• .MHT  
• .TXT 

The worm contains its own SMTP engine, and sends infected email messages via the SMTP server specified in the Internet Account Manager.  Those messages are sent as follows:

Subject: (one of the following)

• nice job!  
• oh wow 
• Too easy   
• Spend Money
• Update 
• Your resume
• you are!   
• great! 
• Re: plz!   
• Need help! 
• Buy 1 Free 2   
• hello  
• Warning!   
• News!  
• Bussiness  
• Hack me!   
• Report!
• Free porn! 
• Bad news!  
• Hi!

Body: (one of the following)

• A message you have received has been converte to an attachment. I sorry cause that problem.
• Hello friend,
  I have a problem here. I have encrypt the file that contain my message problem. The password is 'helpx'. Plz reply back!
• Oh my god! It's that you! Helo! Helo! So, this is gift for christmas day!
  
  Orlian Jieg
• For the truth of love! I have suprise to you! Please baby forgive me!
  
  Ronn Elika
• Hey! It's that what you want! I hope so! Check the file first then reply back if you have problem!
  By
  Alex Pravoks

Attachment: (one of the following)

• problem
• help
• multi
• computers  
• magazine   
• image  
• pictures   
• fees   
• request
• brand  
• collection 
• credit 
• card   
• text   
• music  
• video  
• news   
• document   
• logfile
• quiz   
• readme
• setup

(followed by one of the following extensions)

• .bat   
• .com   
• .exe   
• .pif   
• .scr

System modifications
When the attachment is run, the worm copies itself to the WINDOWS SYSTEM (%SysDir%) directory as djfgucxr.exe .  On Windows9x/ME a SYSTEM.INI key is created to load the worm at startup:

• shell = Explorer.exe djfgucxr.exe

On WindowsNT/2K/XP this equates to a registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe djfgucxr.exe

Remote access payload
The worm lists on a random TCP port, allowing for a remote attacker to take control over the infected system.  Once in control, the attacker can perform several actions:

• Create, rename, and delete directories
• Copy, move, delete, and execute files
• Run shell commands
• Shutdown the system
• Kill running processes

Process terminating payload
When instructed to do so, the worm can terminate the following running processes:

• pad
• task   
• tool   
• monitor
• scan   
• spy
• view   
• Registry   
• hack   
• anti   
• viru   
• McAfee 
• Vir
• Anti   
• AV 
• Norton
• _AVP32.EXE
• _AVPCC.EXE
• _AVPM.EXE
• ACKWIN32.EXE
• ANTI-TROJAN.EXE
• APVXDWIN.EXE
• AUTODOWN.EXE
• AVCONSOL.EXE
• AVE32.EXE
• AVGCTRL.EXE
• AVGSERV9.EXE
• AVKSERV.EXE
• AVP.EXE
• AVP32.EXE
• AVPCC.EXE
• AVPDOS32.EXE
• AVPM.EXE
• AVPMON.EXE
• AVPNT.EXE
• AVPTC32.EXE
• AVPUPD.EXE
• AVSCHED32.EXE
• AVWIN95.EXE
• AVWUPD32.EXE
• BLACKD.EXE
• BLACKICE.EXE
• CCAPP.EXE
• CCEVTMGR.EXE
• CFIADMIN.EXE
• CFIAUDIT.EXE
• CFIND.EXE
• CLAW95.EXE
• CLAW95CT.EXE
• CLEANER.EXE
• CLEANER3.EXE
• CMD.EXE
• COMMAND.COM
• DV95.EXE
• DV95_O.EXE
• DVP95.EXE
• ECENGINE.EXE
• EFINET32.EXE
• ESAFE.EXE
• ESPWATCH.EXE
• F-AGNT95.EXE
• FINDVIRU.EXE
• FIXBUG.EXE
• FIXBUGB.EXE
• FPROT.EXE
• F-PROT.EXE
• F-PROT95.EXE
• FP-WIN.EXE
• FRW.EXE
• F-STOPW.EXE
• HH.EXE
• IAMAPP.EXE
• IAMSERV.EXE
• IBMASN.EXE
• IBMAVSP.EXE
• ICLOAD95.EXE
• ICLOADNT.EXE
• ICMOON.EXE
• ICSSUPPNT.EXE
• ICSUPP95.EXE
• IFACE.EXE
• IOMON98.EXE
• JED.EXE
• LOCKDOWN2000.EXE
• LOOKOUT.EXE
• LUALL.EXE
• LUCOMSERVER.EXE
• MOOLIVE.EXE
• MPFTRAY.EXE
• N32SCAN.EXE
• NAVAPW32.EXE
• NAVLU32.EXE
• NAVNT.EXE
• NAVSCHED.EXE
• NAVW.EXE
• NAVW32.EXE
• NAVWNT.EXE
• NISUM.EXE
• NMAIN.EXE
• NORMIST.EXE
• Norton
• NOTEPAD.EXE
• NUPGRADE.EXE
• NVC95.EXE
• OUTPOST.EXE
• PADMIN.EXE
• PAVCL.EXE
• PCCWIN98.EXE
• PCFWALLICON.EXE
• PERSFW.EXE
• RAV7.EXE
• RAV7WIN.EXE
• REGEDIT.COM
• REGEDIT.EXE
• RESCUE.EXE
• RSTRUI.EXE
• RULAUNCH.EXE
• SAFEWEB.EXE
• SCAN32.EXE
• SCAN95.EXE
• SCANPM.EXE
• SCRSCAN.EXE
• SERV95.EXE
• SMC.EXE
• SPHINX.EXE
• STIMON.EXE
• SWEEP95.EXE
• TASKMGR.EXE
• TBSCAN.EXE
• TCA.EXE
• TDS2-98.EXE
• TDS2-NT.EXE
• VET95.EXE
• VETTRAY.EXE
• VSECOMR.EXE
• VSHWIN32.EXE
• VSSCAN40.EXE
• VSSTAT.EXE
• WEBSCAN.EXE
• WEBSCANX.EXE
• WFINDV32.EXE
• ZONEALARM.EXE

Network share propagation
The worm copies itself to accessible network shares using random file names of repeated letters followed by .bat, .com,.exe, .pif, .scr .

• GGGG.com
• KKKKKK.pif
• FFFFFF.exe
• MMMMMM.pif
• HHHHHH.exe
• AAAAAA.pif

Symptoms

Symptoms -

• Presence of strange files using a single letter repeated for a name
• Presence of the file djfgucxr.exe
• Unexpected termination of security software

Method of Infection

Method of Infection -

This worm spreads via email, and network shares.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A