W32.Gruel - Symantec_Norton

tasklist.org		A comprehensive list of processes running in your computer
		tasklist \| attachlist

bookmark this website!		total tasks: 16297

AttachList is a list of email attachment files that viruses usually send in email. It contains the attached file names, typical subjects and messages, the name of the viruses that send them, and instruction on how to remove these viruses.

most requested

Browse attachlist by file name:

| a | b | c | d | e | f | g | h | i | j | k | l | m | n | o | p | q | r | s | t | u | v | w | x | y | z |

Name: W32.Gruel

Sender:

Varies.

Subject:

Microsoft Windows Critical Update
Symantec: New serious virus found

Message:

Critical Update: The Microsoft Windows updates found on this patch
include fixes to following Windows operating systems: Any update that
is critical to the operation of your computer is considered a Critical
Update, and is automatically selected for installation during the scan
for available updates. This patch is provided to help resolve known
issues, and to protect your computer from known security
vulnerabilities and all kinds of viruses. Whether a patch applies to
your operating system, software programs, or hardware, it is listed in
the Critical Updates category, like this patch attached. For Support
please contact us at support@microsoft.com.
Norton Security Response: has detected a new virus in the Internet.
For this reason we made this tool attachement, to protect your
computer from this serious virus. Due to the number of submissions
received from customers, Symantec Security Response has upgraded this
threat to a Category 5 (Maximum )

Attachment:

AntiVirus_Patch.exe
Symantec_Norton_Tool.exe
Windows Critical Update 088562.exe

Comments: A worm that spreads by email and file-sharing networks. Mass mailing to all the names in the Outlook Address book.

Symptoms:


 Deletes, or attempts to delete, the following files: C:Autoexec.bat,
C:Config.sys, C:WINNTSystem32*.dll, C:WINNTSystem32Ntoskrnl.exe.
C:WINNTSystem32Command.com, C:WINNTRegedit.exe,
C:WindowsSystem32Ntoskrnl.exe, C:WindowsSystem32Command.com,
C:WindowsRegedit.exe, C:WINNTSystem32*.exe, C:WINNTSystem32*.com,
C:WINNTSystem32*.ocx, C:WindowsSystem32*.dll, C:WindowsSystem32*.ocx,
C:WindowsSystem32*.exe and C:WindowsSystem32*.com 
 Copies itself as the Hidden system file, C:Rundll32.exe. 
 Copies itself to C:windowsProgram FilesKazaaMy Shared FolderWindows
XP KeyGen 2.5.exe. 
 Changes the Value data of the (Default) value to: (filename of worm)
%1 in the following registry keys and values:
HKEY_CLASSES_ROOTexefileshellopencommand,
HKEY_CLASSES_ROOTcomfileshellopencommand,
HKEY_CLASSES_ROOTbatfileshellopencommand,
HKEY_CLASSES_ROOTpiffileshellopencommand,
HKEY_CLASSES_ROOThtafileshellopencommand and
HKEY_CLASSES_ROOThtfileshellopencommand. As a result of these changes,
the worm runs every time one of the aforementioned program types is
executed. 
 Sets the following registry keys and values: 
 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
"MediaPath"="C:Proyecto1.exe" 
 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce
"Rundll32.exe"="C:Rundll32.exe" 
 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceEX
"DevicePath" ="C:Proyecto1.exe" 
 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSETUP
"NetCache"="C:Proyecto1.exe" 
 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
"ProxyDevice"="C:Proyecto1.exe" 
 HKEY_CURRENT_USERSoftwarekIlLeRgUaTe 1.03 
 Displays a false message that Windows has found an error and asks
you to submit the error to Microsoft. There are two buttons displayed
in this "warning" message, "Send Error" and "Send and Close." 
 If you click "Send Error," a fake error log is displayed. 
 If you try to cancel the message, the message is repeatedly
displayed. Clicking "Back" returns you to the original "warning"
message. 
 If you click "Send and Close" the following actions occur: 
 Multiple Control Panel windows open. The CD-ROM drive opens  A
message from the author of this threat is displayed, and this message
cannot be moved or closed.  The System Tray is disabled. The Task Bar
disappears.  Drive C is no longer visible and all the icons disappear.
Only open windows remain. The message windows, which the worm
generates, obscure them.

Recommended Cleanup Software: We found that Easy SpyRemover is the most effective tool for removing this file.

Manual Removal Instructions: What you need to do depends on whether W32.Gruel@mm has actually executed.
If W32.Gruel@mm has already executed
If W32.Gruel@mm has run, it is possible that you will no longer be able to start Windows. (The damage the worm does will vary with both the operating system and the installation path.) Even if you can start Windows, once W32.Gruel@mm runs, it makes numerous changes to the registry and attempts to delete the system files.
In this situation, you must replace the deleted files and the Windows registry either from a clean backup, or by re-installing the operating system.
Once you have replaced the registry with a clean copy and restored any missing system files, update the virus definitions and run a full system scan as described in the next section.
If W32.Gruel@mm has not yet executed
If your Symantec antivirus product detects W32.Gruel@mm, delete it. If you suspect that the W32.Gruel@mm file exists on your hard drive, but has not yet executed, follow these steps:
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan and delete all the files detected as W32.Gruel@mm.