W32.Gudek


Aliases: W32/Tiotua-P, W32/YahLover.worm.gen, W32.Yautoit.N, Worm.AutoIt!sd5, Worm:Win32/Sohanad.M
Variants: IM-Worm.Win32.Sohanad.bm, W32/SillyFDC-G, Mal_AUMAL-2, Worm:Win32/Nuqel.A, Virus.Win32.Alman

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Moderate
Geographical info: Europe, Asia, North America
Removal: Easy
Platform: W32
Discovered: 18 Jan 2008
Damage: Low

Characteristics: This Worm makes use of removable and fixed storage devices found in the infected computer system to spread its codes. It may also target unprotected or weakly protected network shares allowing it to compromise other network clients. The W32.Gudek is capable of illegally terminating some critical system processes as well as infecting particular file types found in the host computer system. Its presence usually lowers security settings and affects file integrity.

More details about W32.Gudek

File traces that are associated with the malware W32.Gudek may take the form of batch, executable, command, system, and information file formats among others. These file traces are normally stored in the same directory folder of the operating system. In the case of removable storage devices the W32.Gudek will create an accompanying launch file which will allow this malware to execute once an unsuspecting computer user accesses the contents of the drive. For network shares this malware usually makes use of an executable file which automatically launches the infection when the shared drive is accessed. The W32.Gudek also requires the modification of certain Windows Registry keys to activate its other feature sets like automatic loading on system boot up.

There are a number of file formats that can be infected by this malware. Usually threats concentrate on executable files, however, with the W32.Gudek, even some archives and multimedia files can be infected. Once a file is infected by this malware the text string "Locked by Mr. Guddu is added into the codes of the compromised file. The W32.Gudek makes use of the Simple Mail Transfer Protocol service to send an email message to its malicious author. The message usually identifies the computer and user names associated with the compromised machine. Protection applications are terminated by the W32.Gudek malware.