A WORM_GREW Q&A collection

A collection of information on WORM_GREW from various sources:

What are the other names of WORM_GREW?

Based on Securiteam’s FAQ’s, here are the list of detections:

• Authentium W32/Kapser.A@mm
  
• AntiVir Worm/KillAV.GR
  
• Avast! Win32:VB-CD [Wrm]
  
• AVG Worm/Generic.FX
  
• BitDefender Win32.Worm.P2P.ABM
  
• ClamAV Worm.VB-8
  
• Command W32/Kapser.A@mm (exact)
  
• Dr Web Win32.HLLM.Generic.391
  
• eSafe Win32.VB.bi
  
• eTrust-INO Win32/Blackmal.F!Worm
  
• eTrust-VET Win32/Blackmal.F
  
• Ewido Worm.VB.bi
  
• F-Prot W32/Kapser.A@mm (exact)
  
• F-Secure Email-Worm.Win32.Nyxem.e
  
• Fortinet W32/Grew.A!wm
  
• Ikarus Email-Worm.Win32.VB.BI
  
• Kaspersky Email-Worm.Win32.Nyxem.e
  
• McAfee W32/MyWife.d@MM (McAfee has an “E” variant)
  
• Nod32 Win32/VB.NEI worm
  
• Norman W32/Small.KI (W32/Small.KI@mm)
  
• Panda W32/Tearec.A.worm (W32/MyWife.E.Worm)
  
• QuickHeal I-Worm.Nyxem.e
  
• Sophos W32/Nyxem-D
  
• Symantec W32.Blackmal.E@mm
  
• Trend Micro WORM_GREW.A (Worm_BLUEWORM.E)
  
• VBA32 Email-Worm.Win32.VB.bi
  
• VirusBuster Worm.P2P.VB.CIL

What is the payload again? From Trend Micro’s WORM_GREW.A description:
On the third day of every month, this worm overwrites all files with the following extension names 30 minutes after the affected system is restarted:

• DMP
  
• DOC
  
• MDB
  
• MDE
  
• PDF
  
• PPS
  
• PPT
  
• PSD
  
• RAR
  
• XLS
  
• ZIP

It overwrites the said files with the following string: DATA Error [47 0F 94 93 F4 K5]

How do I know if I’m infected?
Check out the virus description on WORM_GREW.A, or better yet, download and execute DCE.
And Microsoft also features a virus description as well as a removal tool.
And oh, do a system scan.

I heard there are millions of infected systems. Is this true?
Actually, no. Not millions. Joe Stewart of LURHQ has released some very interesting analysis and statistics on this worm based on the infection counter (the worm updates a counter on some website). Based on their statistics, the count is much closer to 300,000. India seems to be the most infected country, followed by Peru. And from LURHQ’s Q&A:

Q: Peru? Are you sure?
A: Yes, we have resolved the hostnames and they belong primarily to a single Peruvian ISP. We can only speculate that someone with a large list of customers at that ISP became infected and most of the users received the attachment.
So there.

Sources

• ISC Summary
  
• LURHQ
  
• SecuriTeam’s TISF Blackworm Task Force (very detailed FAQ)
  
• Microsoft’s Virus description/Removal Tool
  
• WORM_GREW.A