W32.Grifout.Worm


Aliases: I-Worm.Radix.b, W32/Grifout@MM, Worm.Radix, WORM/Heyya.B, Win32:Radix-D
Variants: W32/Grifout.worm.c, Email-Worm.Win32.Radix.d, W32/Dropper-IE, W32/Radix, Win32.Radix.24576

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: Australia, North and South America, Asia, Europe
Removal: Easy
Platform: W32
Discovered: 27 Feb 2002
Damage: Low

Characteristics: Designed by its malicious author to exploit the Messaging Application Programming Interface of the Microsoft Windows Operating System platform, this malware makes use of the email messaging service to spread its codes. The W32.Grifout.Worm malware is capable of hijacking the functionalities of the default email client of the Windows environment. It is possible that this malware may use the address book of the email client to target other potentially vulnerable computer systems.

More details about W32.Grifout.Worm

When successfully established in a vulnerable machine the W32.Grifout.Worm will load together with the operating system at startup and remain active in system memory. It will attempt to maintain a constantly open communication socket connection to the Web which functions as a backdoor. This backdoor is used by the W32.Grifout.Worm to allow the control client program to take control of the infected computer system from a remote location. These actions are made possible via its dropped executable file in the operating system folder as well as the corresponding key value created for the W32.Grifout.Worm in the Windows Registry. The active Internet connection can also be used by the malware to update its codes whenever possible.

The update feature of the W32.Grifout.Worm is established in the infected computer system by hard coding it into the Windows Registry. This is how the malware dictates to the compromised computer system where to download the update for its codes. Whenever the W32.Grifout.Worm is active in the infected machine it ties up the TCP port 1032 for its exclusive use. This means that any application dependent on this communication port will be terminated illegally. The author of the W32.Grifout.Worm uses this port to send or retrieve information from the host machine. The port may be hijacked by other malware variants.