W32/Graps-A

Please follow the instructions for removing worms.

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Management Instrumentation

and delete it if it exists.

Close the registry editor.

W32/Graps-A is a worm that uses Windows hidden system shares, intended for inter process communication and administration tasks (IPC$ and ADMIN$), to spread.

W32/Graps-A spreads with the filename mwd.exe together with two other files, a utility psexec.exe and an OCX file mswinsck.ocx. The worm drops three batch files wds.bat, wds2.bat and wds3.bat into the current directory.

The dropped batch files are used to probe for IPC$ or ADMIN$ shares with weak or blank passwords.

If a share is successfully probed, the batch file copies wdm.exe, psexec.exe and mswinsck.ocx to the remote computer and uses psexec.exe to remotely launch wdm.exe.

W32/Graps-A creates a new registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Management Instrumentation

so that the file wdm.exe from the Windows System folder is run on Windows startup.

The worm also contains a backdoor component that can be used by an attacker to launch denial of service attacks or use an infected machine as a TCP proxy.