Aliases: Gudeb
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North and South America, Europe, Asia, Australia
Removal: Easy
Platform: W32
Discovered: 01 Dec 2005
Damage: Low

Characteristics: This particular Worm is known for exploiting the vulnerability found in specific File Transfer Protocol client applications. The W32.Gudeb normally relies on the scanning of the initialization file of the application to be able to retrieve valid File Transfer Protocol accounts which the malware author can use for possibly unlawful purposes. An infected computer system may experience missing directory folders which the malware may hide.

More details about W32.Gudeb

The point of exploitation that is being implemented by the W32.Gudeb is based on a design flaw of the File Transfer Protocol client application. Normally a local attacker will be able to gain access to stored accounts that have very weak password protection. This in turn exposes sensitive information to unauthorized users while placing the computer user into a possible risk. The loophole that is used by the W32.Gudeb is found in the method of encryption used by the application. During its execution it will place an executable file into the same directory folder of the operating system. The filename for this file in most instances will mimic legitimate processes to gain an air of legitimacy. The W32.Gudeb will create a Windows Registry key value.

During the execution of the W32.Gudeb, it will a message box with the title "Read this". The contents of the message box however are not readable and may look like garbage characters to the ordinary computer user. The Windows Registry is also used by this malware to lower the security settings for the infected computer system making it more vulnerable to other potential threats. The W32.Gudeb will terminate the File Transport Protocol application if it cannot locate its initialization file. When it is successful in harvesting account details, the W32.Gudeb will upload a copy of itself to other vulnerable machines.