English
Deutsch
Francais
Español
Italian
Home
Virus Info
Worm/IM.Guap.a
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/IM.Guap.a - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/IM.Guap.a
Date discovered:
22/08/2005
Type:
Worm
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Low to medium
Damage Potential:
Low to medium
Static file:
Yes
File size:
57.344 Bytes
MD5 checksum:
64B2695C0F8B25A89581C25618E2096B
VDF version:
6.31.1.154
General
Method of propagation:
• Messenger
Aliases:
• Mcafee: W32/Generic.worm!p2p
• Kaspersky: IM-Worm.Win32.Guap.a
• Bitdefender: Win32.Worm.Guap.A
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Blocks access to certain websites
• Blocks access to security websites
• Lowers security settings
• Registry modification
Files
It copies itself to the following location:
•
%SYSDIR%
\pkguard32.exe
The following file is created:
–
%WINDIR%
\hosts
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
• PK Guard"="
%SYSDIR%
\pkguard32.exe"
The following registry keys are continuously in an infinite loop added in order to run the processes after reboot.
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• PK Guard"="
%SYSDIR%
\pkguard32.exe"
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• PK Guard"="
%SYSDIR%
\pkguard32.exe"
The following registry keys are changed:
– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
Old value:
• "Start"=dword:00000002
New value:
• "Start"=dword:00000004
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
Old value:
• "Start"=dword:00000002
New value:
• "Start"=dword:00000004
Messenger
It is spreading via Messenger. The characteristics are described below:
– AIM Messenger
– Yahoo Messenger
– Windows Messenger
To:
All entries in the contact list.
Message
The sent message looks like the following:
• It repeatedly sends the following line to all of the user's contacts:
Hehe, take a look at this funny game
%link%
%link%
While the wildcard is the following:
• http://**********games.yaboo.dk/Monkye.exe
The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.
Hosts
The host file is modified as explained:
– Access to the following domains is effectively blocked:
• www.symantec.com; symantec.com; securityresponse.symantec.com;
sarc.com; www.sarc.com; www.sophos.com; sophos.com; www.mcafee.com;
mcafee.com; liveupdate.symantecliveupdate.com; www.viruslist.com;
viruslist.com; f-secure.com; www.f-secure.com; f-prot.com;
www.f-prot.com; kaspersky.com; kaspersky-labs.com; www.avp.com;
avp.com; www.kaspersky.com; www.networkassociates.com;
networkassociates.com; www.ca.com; ca.com; mast.mcafee.com;
my-etrust.com; www.my-etrust.com; download.mcafee.com;
dispatch.mcafee.com; secure.nai.com; nai.com; www.nai.com;
vil.nai.com; update.symantec.com; updates.symantec.com; us.mcafee.com;
liveupdate.symantec.com; customer.symantec.com; rads.mcafee.com;
trendmicro.com; www.trendmicro.com; housecall.trendmicro.com;
pandasoftware.com; www.pandasoftware.com; www.trendmicro.com;
free.grisoft.com; www.grisoft.com; grisoft.com; clamav.net;
www.clamav.net; free-av.com; www.free-av.com; www.avast.com;
avast.com; cert.org; www.cert.org; www.microsoft.com; microsoft.com;
www.virustotal.com; virustotal.com; update.microsoft.com;
windowsupdate.microsoft.com
The modified host file will look like this:
Process termination
List of services that are disabled:
• Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
• Automatic Updates
Backdoor
The following port is opened:
–
%SYSDIR%
\pkguard32.exe on a random UDP port
File details
Programming language:
The malware program was written in Visual Basic.
See a brief description
here
.
Description inserted by Andrei Gherman on Tue, 23 Aug 2005 08:48 (GMT+1)
Description updated by Oliver Auerbach on Wed, 07 Sep 2005 18:43 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Bagle.FJ
W32/Elkern.C
Worm/Mytob.DH
Worm/Mytob.CR
Worm/Netsky.D.Dam
TR/Dldr.Agent.aizj
JS/Dldr.Small.CR.2
TR/Dldr.Agent.XAE
JS/Dldr.Agent.bbt
HTML/IFrame.800
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/IM.Guap.a
Print this page
.gif)
