Aliases: W32/Glyn.a, W32/Glyn.b, Win32.Glyn, W32/Glyven.A, W32/Glyven.B
Variants: PE_GLYN.A, PE_GLYN.B, Win32/Glyn.A, Win32/Glyn.B, Virus.Win32.Glyn

Classification: Malware
Category: Computer Virus

Status: Dormant
Spreading: Slow
Geographical info: Europe, South America, Asia
Removal: Easy
Platform: W32
Discovered: 02 Jul 2001
Damage: Low

Characteristics: Like most viruses, the W32.Glyn malware has been identified to infect executable files by adding its codes into the target file. This results in the corruption of the file leading to a failure of the associated application to launch. A system infected with this threat not only experiences an increase in the file size of executable file types but also the display of a message box with the contents usually written in Spanish.

More details about W32.Glyn

Majority of malicious authors responsible for the creation of malware flaunt their call signs or names. This is the same case with the W32.Glyn malware wherein the name of the author or designer is included in the message text. Executable files are normally attacked by adding the W32.Glyn codes at the beginning of the file as compared to the more common practice of adding it to the end. According to most antivirus developers, the original contents of the file are not overwritten. However, the adding of the codes in the beginning causes the executable file to abruptly terminate due to what is perceived as code error by the program. After the W32.Glyn displays its textual message, the infected computer system will be immediately shutdown.

By design, this malware does not infect all executable files. The W32.Glyn malware will scan all folders and check the file size of the executables. Only executables files with a size equal or greater than 8,192 bytes will be injected with the malicious codes. The W32.Glyn also avoids infecting executable files with names beginning in EXPL, NET, EMM3, PROG, RUND, 00, AV, and AAAA. It then proceeds to create a new instance of itself and encrypts the original file with its added codes. The new executable file will then be launched to continue with the infection routine.