Virus:Worm/Guap.D.1
Date discovered:21/09/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:57.344 Bytes
MD5 checksum:029126210d7ada36a810bfc546bcfeff
VDF version:6.32.0.33

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: W32.Allim
   •  Mcafee: W32/Guap.worm
   •  Kaspersky: IM-Worm.Win32.Guap.d
   •  TrendMicro: WORM_GUAP.D
   •  VirusBuster: Worm.P2P.VB.CII
   •  Bitdefender: Win32.Worm.Denn.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to security websites
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\0penGLD.exe

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "OpenGL Drivers"="%SYSDIR%\0penGLD.exe"

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "OpenGL Drivers"="%SYSDIR%\0penGLD.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runservices]
   • "OpenGL Drivers"="%SYSDIR%\0penGLD.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger
– Windows Live Messenger
– Yahoo Messenger


To:
All entries in the contact list.


Message
The sent message looks like one of the following:

   • wow! me and my friends just got on my new webcam! come watch us: %link%

   • wow.. is this you? %link%

   • found your picture! is this you? %link%

   • haha, this girl got busted so bad.. %link%

   • lmao i cant stop laughing at this! %link%

   • omg... this doesn't look right at all!! %link%

   • this girl is crazy! go look at here - %link%

   • you have to take a look at this, tell me if you can open it - %link%

   • hey, you have to try this out... %link% - removes all the spyware and viruses

   • check this out: %link% - it's live and free

   • omg... i think i just found a pic of you, let me know - %link%


%link%
While the wildcard is one of the following:
   • http://**********.earthlink.net/~nkjdenny/Webcam.exe
   • http://**********.earthlink.net/~nkjdenny/IMS.exe
   • http://**********.earthlink.net/~nkjdneny/RegistryFix.exe

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 Hosts The host file is modified as explained:

– Access to the following domains is effectively blocked:
   • www.symantec.com; symantec.com; securityresponse.symantec.com;
      sarc.com; www.sarc.com; www.sophos.com; sophos.com; www.mcafee.com;
      mcafee.com; liveupdate.symantecliveupdate.com; www.viruslist.com;
      viruslist.com; f-secure.com; www.f-secure.com; f-prot.com;
      www.f-prot.com; kaspersky.com; kaspersky-labs.com; www.avp.com;
      avp.com; www.kaspersky.com; www.networkassociates.com;
      networkassociates.com; www.ca.com; ca.com; mast.mcafee.com;
      my-etrust.com; www.my-etrust.com; download.mcafee.com;
      dispatch.mcafee.com; secure.nai.com; nai.com; www.nai.com;
      vil.nai.com; update.symantec.com; updates.symantec.com; us.mcafee.com;
      liveupdate.symantec.com; customer.symantec.com; rads.mcafee.com;
      trendmicro.com; www.trendmicro.com; housecall.trendmicro.com;
      pandasoftware.com; www.pandasoftware.com; free.grisoft.com;
      www.grisoft.com; grisoft.com; clamav.net; www.clamav.net; free-av.com;
      www.free-av.com; www.avast.com; avast.com; cert.org; www.cert.org;
      www.microsoft.com; microsoft.com; www.virustotal.com; virustotal.com;
      update.microsoft.com; windowsupdate.microsoft.com




The modified host file will look like this:


 Process termination  List of services that are disabled:
   • sharedaccess
   • wuauserv

 File details Programming language:
 The malware program was written in Visual Basic.

Description inserted by Razvan Olteanu on Friday, September 23, 2005
Description updated by Razvan Olteanu on Monday, October 3, 2005

Back . . . .