[email protected]

Aliases: W32/Gruel-A, W32/[email protected], Win32.Gruel, WORM_GRUEL, [email protected]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, Europe, North and South America
Removal: Hard
Platform: W32
Discovered: 13 Jul 2003
Damage: High

Characteristics: This malware makes use of the email messaging service as well as the file sharing networks on the Internet as transport mechanisms for the spread of its codes. The [email protected] sends email messages to unsuspecting computer users convincing them to install an attachment which is supposedly a removal tool for this malware. According to some antivirus vendors however, no such tool currently exists that is specific to this threat.

More details about [email protected]

A computer system experiencing infection from the [email protected] malware will be experience missing critical batch, executable, and command files among others from the hard drive. The files which are attempted to be deleted by this malware normally are part of the monitoring tools of the operating system. After the successful deletion of the targeted files the [email protected] will proceed by creating its own executable file as well as dropping of a spiked executable file in the shared folder of the Peer to Peer file sharing application. This file will be presented by the malware as a type of key generator application for a variant of the Windows Operating System platform. It also modifies relevant key values in the Windows Registry.

The [email protected] will display a fake message alerting of a bogus error on the operating system. A new window will be displayed asking the computer user to send the details to the developer. Upon clicking on the send button the routine will enter into a continous loop. The [email protected] will then open multiple Control Panel windows and eject the optical media drive of the infected machine. The System Tray, Task Bar, and the icon for the main hard drive will be hidden by this malware. A message from the author of the [email protected] will also be displayed on screen.