W32.Guapim


Aliases: WORM_GUAP.D, IM-Worm.Win32.Guap.d, W32/Kelvir.worm.gen, Worm/Guap.D.1, W32/Yimp-A
Variants: W32/Generic.worm!p2p, IM-Worm.Win32.Guap.bm, Mal/Generic-A, Virus.Win32.Gaup, Win32/Guap.worm.57344.T

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 23 Aug 2005
Damage: Medium

Characteristics: Described as a memory resident malware, the W32.Guapim makes use of file sharing networks and Instant Messenger clients to spread its codes. It uses the Instant Messaging service to send a link to all contents of the user's contact list. The recipient thinking that the link was sent by a legitimate user will attempt to click it. This will redirect the Web browser to a malicious address where more malware will be downloaded and executed.

More details about W32.Guapim

Initial execution of the W32.Guapim in the infected computer system will cause the creation of an executable trigger file along with a corresponding key value in the Windows Registry which will allow it to automatically load on system boot up. It will also modify security related key values in the Windows Registry in an attempt to lower the protection of the already compromised machine. It then sends a link to all the entries in the contacts list of the Instant Messenger client in an attempt to cause the unintentional downloading and execution of the W32.Guapim malware. Copies of the W32.Guapim will also be placed in the shared folders of Peer to Peer applications in an attempt to use P2P file sharing services.

A copy of the W32.Spybot.Worm will also be downloaded by the W32.Guapim from a predetermined location and execute it in the target machine. The Windows Hosts file will also be modified by this Worm in an attempt to block the user's actions of connecting to security related websites. The presence of the W32.Guapim malware will also prevent the updating of the codes for both the operating system and the security applications present in the infected computer system. This is presumed to be done by the W32.Guapim in order to further complicate its detection and removal from the machine.