W32.Glupzy.A


Aliases: Troj/Glupzy-A, W32/Glupzy-D, Email-Worm.Win32.Brontok.N, Win32.Dzan.A, Backdoor:Win32/Glupzy.A
Variants: BackDoor-DIY!c038f8e3c380, Trojan.Win32.Disabler.i, WORM_FLASHY.B, Win-Trojan/Disabler.21185, Trojan-PWS.OnlineGames.AHRG

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, Australia
Removal: Easy
Platform: W32
Discovered: 21 Jul 2006
Damage: Low

Characteristics: The W32.Glupzy.A has been identified to resort to removable as well as shared network drives as transport mechanisms for the spreading of its malicious codes. This particular threat has been identified to modify the password for the administrator account possibly in an attempt to complicate its removal and gain more control over the infected computer system. As part of its payload, it opens an undocumented backdoor for its author and simultaneously disables critical system protection.

More details about W32.Glupzy.A

When the W32.Glupzy.A successfully penetrates the defenses of a targeted computer system, it begins its execution by dropping an executable file into the same folder where the system files are stored. This is an attempt to conceal its presence and gain the appearance of a legitimate file. It also creates its own registry key values in order to have the functionality of launching together with the operating system of the infected machine. As part of its payload delivery routine, the W32.Glupzy.A may launch a shell execute for all downloaded or even existing files found in the computer system. The W32.Glupzy.A uses the AdminitdHator name to initiate Telnet services of the machine and at the same time uses the word "hacked" as the new administrator password.

The payload delivery routine of the W32.Glupzy.A malware also scans the host computer system for the presence of the drive letters D to J. Once found, it copies an instance of itself which will automatically launch the malware when the drive is accessed. Even the folders and directories on the main hard drive are not spared. Usually the W32.Glupzy.A will create an instance of itself using the name of the folder or directory where it is saved. To further its deception, the W32.Glupzy.A will also use the same icon of the folder for its executable.