high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 12 October 2005 08:45:36 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Guap-F is an instant messenger worm for the Windows platform.
W32/Guap-F includes functionality to download, install and run new software.
When first run W32/Guap-F copies itself to <System>\aimplugin.exe and creates the file <Windows>\hosts.
The following registry entries are created to run aimplugin.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Aim Plugin
<System>\aimplugin.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Aim Plugin
<System>\aimplugin.exe
W32/Guap-F sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).
W32/Guap-F may attempt to spread itself via the following P2P programs:
LimeWire
eDonkey2000
with the following filenames:
Half Life 2 FULL.exe
How to Hack.exe
Windows XP.exe
Visual Studio 2005.exe
W32/Guap-F may also spread via the following instant messenger programs:
MSN Messenger
Yahoo! Instant Messenger
AOL Instant Messenger
and will attempt to display one of the following message to contacts in the instant messenger program:
"lol? someone is posting with your email address on these forums?: <URL>"
"wow.. is this you? <URL>"
"found your picture! is this you? <URL>"
"haha, this guy got busted so bad.. <URL>"
"lmao i cant stop laughing at this! <URL>"
"omg... this doesnt look right at all!! <URL>"
At the time of writing the <URL> was not available.
W32/Guap-F includes functionality to download, install and run new software.
W32/Guap-F includes functionality to modify the HOSTS file.
W32/Guap-F modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites. The new HOSTS file will typically contain the following:
127.0.2.5 www.symantec.com
127.0.2.5 symantec.com
127.0.2.5 securityresponse.symantec.com
127.0.2.5 sarc.com
127.0.2.5 www.sarc.com
127.0.2.5 www.sophos.com
127.0.2.5 sophos.com
127.0.2.5 www.mcafee.com
127.0.2.5 mcafee.com
127.0.2.5 liveupdate.symantecliveupdate.com
127.0.2.5 www.viruslist.com
127.0.2.5 viruslist.com
127.0.2.5 f-secure.com
127.0.2.5 www.f-secure.com
127.0.2.5 f-prot.com
127.0.2.5 www.f-prot.com
127.0.2.5 kaspersky.com
127.0.2.5 kaspersky-labs.com
127.0.2.5 www.avp.com
127.0.2.5 avp.com
127.0.2.5 www.kaspersky.com
127.0.2.5 www.networkassociates.com
127.0.2.5 networkassociates.com
127.0.2.5 www.ca.com
127.0.2.5 ca.com
127.0.2.5 mast.mcafee.com
127.0.2.5 my-etrust.com
127.0.2.5 www.my-etrust.com
127.0.2.5 download.mcafee.com
127.0.2.5 dispatch.mcafee.com
127.0.2.5 secure.nai.com
127.0.2.5 nai.com
127.0.2.5 www.nai.com
127.0.2.5 vil.nai.com
127.0.2.5 update.symantec.com
127.0.2.5 updates.symantec.com
127.0.2.5 us.mcafee.com
127.0.2.5 liveupdate.symantec.com
127.0.2.5 customer.symantec.com
127.0.2.5 rads.mcafee.com
127.0.2.5 trendmicro.com
127.0.2.5 www.trendmicro.com
127.0.2.5 housecall.trendmicro.com
127.0.2.5 pandasoftware.com
127.0.2.5 www.pandasoftware.com
127.0.2.5 www.trendmicro.com
127.0.2.5 free.grisoft.com
127.0.2.5 www.grisoft.com
127.0.2.5 grisoft.com
127.0.2.5 clamav.net
127.0.2.5 www.clamav.net
127.0.2.5 free-av.com
127.0.2.5 www.free-av.com
127.0.2.5 www.avast.com
127.0.2.5 avast.com
127.0.2.5 cert.org
127.0.2.5 www.cert.org
127.0.2.5 www.microsoft.com
127.0.2.5 microsoft.com
127.0.2.5 www.virustotal.com
127.0.2.5 virustotal.com
127.0.2.5 update.microsoft.com
127.0.2.5 windowsupdate.microsoft.com
|
