W32.Gunsan


Aliases: W32/Gunsan.worm
Variants: W32/Gunsan.worm.b, W32/Gunsan-A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 26 Jun 2002
Damage: Medium

Characteristics: The W32.Gunsan belongs to a mass mailing malware family which has the ability of infecting local drives as well as network shares. As a mass mailing Worm it is capable of harvesting email addresses stored in the infected computer system and using them as targets for infection. This particular threat has been designed by its malicious author to initiate an unsecured backdoor in the compromised machine allowing the implementation of remote control routines.

More details about W32.Gunsan

When executed in the infected host machine the W32.Gunsan will extract an executable file into the directory folder of the operating system. It will create a corresponding key value in the Windows Registry for the executable file providing the Worm with the capability of launching at every startup or boot up process of the computer system. In some versions of the Microsoft Windows Operating System platform the W32.Gunsan will execute as a system service to function undetected by the computer user. Using the Internet logs, the malware will verify the type of firewall software that is active in the compromised machine. Once a specific firewall application is found by the W32.Gunsan it will create a batch file that will unprotect and remove specific system files.

The W32.Gunsan will also modify the batch file of the operating system to inject instructions which will be executed at the next boot up instance of the machine. The Windows Host file will be changed by the W32.Gunsan malware to make sure that access to certain security related websites will be routed back to the host computer system. This prevents the computer user from accessing these sites and deploying an online scanning procedure. The W32.Gunsan will scan for any available TCP port between the address 0 to 4999 and record the selected number which will be used in future connections.