検索:
ホーム   »     »   A WORM_GREW Q&A collection

A WORM_GREW Q&A collection

  • 投稿日:2006年1月31日
  • 脅威カテゴリ:未分類
  • 執筆:ウイルス解析担当者
0

A collection of information on WORM_GREW from various sources:


What are the other names of WORM_GREW?


Based on Securiteam’s FAQ’s, here are the list of detections:



  • Authentium W32/Kapser.A@mm
  • AntiVir Worm/KillAV.GR
  • Avast! Win32:VB-CD [Wrm]
  • AVG Worm/Generic.FX
  • BitDefender Win32.Worm.P2P.ABM
  • ClamAV Worm.VB-8
  • Command W32/Kapser.A@mm (exact)
  • Dr Web Win32.HLLM.Generic.391
  • eSafe Win32.VB.bi
  • eTrust-INO Win32/Blackmal.F!Worm
  • eTrust-VET Win32/Blackmal.F
  • Ewido Worm.VB.bi
  • F-Prot W32/Kapser.A@mm (exact)
  • F-Secure Email-Worm.Win32.Nyxem.e
  • Fortinet W32/Grew.A!wm
  • Ikarus Email-Worm.Win32.VB.BI
  • Kaspersky Email-Worm.Win32.Nyxem.e
  • McAfee W32/MyWife.d@MM (McAfee has an “E” variant)
  • Nod32 Win32/VB.NEI worm
  • Norman W32/Small.KI (W32/Small.KI@mm)
  • Panda W32/Tearec.A.worm (W32/MyWife.E.Worm)
  • QuickHeal I-Worm.Nyxem.e
  • Sophos W32/Nyxem-D
  • Symantec W32.Blackmal.E@mm
  • Trend Micro WORM_GREW.A (Worm_BLUEWORM.E)
  • VBA32 Email-Worm.Win32.VB.bi
  • VirusBuster Worm.P2P.VB.CIL
What is the payload again? From Trend Micro’s WORM_GREW.A description:
On the third day of every month, this worm overwrites all files with the following extension names 30 minutes after the affected system is restarted:

  • DMP
  • DOC
  • MDB
  • MDE
  • PDF
  • PPS
  • PPT
  • PSD
  • RAR
  • XLS
  • ZIP

It overwrites the said files with the following string: DATA Error [47 0F 94 93 F4 K5]


How do I know if I’m infected?
Check out the virus description on WORM_GREW.A, or better yet, download and execute DCE.
And Microsoft also features a virus description as well as a removal tool.
And oh, do a system scan.


I heard there are millions of infected systems. Is this true?
Actually, no. Not millions. Joe Stewart of LURHQ has released some very interesting analysis and statistics on this worm based on the infection counter (the worm updates a counter on some website). Based on their statistics, the count is much closer to 300,000. India seems to be the most infected country, followed by Peru. And from LURHQ’s Q&A:


Q: Peru? Are you sure?
A: Yes, we have resolved the hostnames and they belong primarily to a single Peruvian ISP. We can only speculate that someone with a large list of customers at that ISP became infected and most of the users received the attachment.
So there.


Sources



  • ISC Summary
  • LURHQ
  • SecuriTeam’s TISF Blackworm Task Force (very detailed FAQ)
  • Microsoft’s Virus description/Removal Tool
  • WORM_GREW.A



No related posts.



  • 個人のお客さま向けオンラインショップ
  • |
  • 法人のお客さま向け直営ストア
  • |
  • 販売パートナー検索
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • 電子公告
  • ご利用条件
  • プライバシーポリシー
  • Copyright © 2021 Trend Micro Incorporated. All rights reserved.