Aliases: I-Worm.Beglur.b, W32/Gluber.b@MM, WORM_GLUBER.B, Win32/HLLW.Burl.B, Email-Worm.Win32.Beglur.b
Variants: Win32.Bugler.B, W32/Capush.B@mm, I-Worm.Beglur.b, Win32.HLLM.Bugler.2, W32/Bugler-B

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 21 Dec 2003
Damage: Medium

Characteristics: This threat possesses a built-in remote access component which allows it to provide its malicious author with the means of remotely attacking infected computer systems. The W32.Gluber.B@mm belongs to a family of mass mailing Worms which are known for harvesting email addresses from the infected machine. This Worm can also utilize weakly protected network shares aside from spiked email messages to spread its codes to other computer systems or network environments.

More details about W32.Gluber.B@mm

Believed to belong to the W32.Gluber@mm malware family, the W32.Gluber.B@mm Worm was designed with its own Simple Mail Transfer Protocol engine. This gives it the capability of sending out email messages to the harvested addresses without necessarily requiring user intervention. Aside from the Windows Address Book, the W32.Gluber.B@mm may also target other files which are potential sources of email addresses. Among the commonly observed file types scanned by this threat includes text files, hypertext, ASP, mailbox folders, and Java files among others. The subject, body, and file attachments used by the W32.Gluber.B@mm comes from a predefined list which is believed to be hard coded into the malware. The file extensions of the attachments vary from batch, executable, screensaver, and command file types among others.

The remote access functionality of the W32.Gluber.B@mm malware is normally executed via an unsecured backdoor opened in the compromised machine. It has been observed that this particular threat makes use of the port 5373 to listen for additional commands from its malicious author. The backdoor initiated by the W32.Gluber.B@mm remains widely undetected primarily due to its routine of indiscreetly terminating system monitoring utilities as well as antivirus protection protocols. The presence of the W32.Gluber.B@mm in a compromised machine is normally marked by files using strange filenames. The file extensions used by these file traces may also be random.