Aliases: Trojan.Igos, Win32/HLLW.Apler, Worm/Apler, Win32:Apler-ASP, Bck/Ranck.Q
Variants: Worm.Win32.Apler, W32/Apler-A, Win32/Apler.A, TROJ_RANCK.A, Proxy-FBSR.gen.dldr

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 07 Oct 2003
Damage: Low

Characteristics: The W32.Gramos is a type of Worm which is designed to be network aware and has the built-in functionality of opening an unsecured backdoor on the compromised computer system. According to most antivirus vendors this particular threat is closely associated with the entry of the Backdoor.Ranck which is a type of Trojan Horse proxy malware. This means that this malware can be used by its author to introduce more threat into the infected machine.

More details about W32.Gramos

The execution of this network Worm reuqires the extraction of its executable file into the target computer system. Once successfully installed it will proceed by creating a corresponding key in the Windows Registry. This allows the W32.Gramos to automatically load at every startup or boot up instance of the infected machine. The downloading of the associated Trojan Horse proxy is done from a website address that is hard coded into the W32.Gramos malware. This website is presumed to be controlled by the author of this threat. After downloading of the executable file for the Trojan Horse proxy it is immediately launched by the malware. The W32.Gramos will proceed by registering it as a system service to prevent it from being displayed in the task list.

After the W32.Gramos has successfully installed its Trojan Horse proxy as a system service it will proceed by selecting a random Internet Protocol address. It will scan this address and make a list of the registered users on the remote computer system. The W32.Gramos will attempt to gain entry into these remote user accounts using a blank password. If successful an executable file will be dropped into the remote machine. The W32.Gramos will then schedule a remote execution of its dropped file which will begin the infection of the remote computer system and spread its codes.