W32/Graps.A
Analysis
- Virus resembles BAT/Mumu in spreading technique
and also with regard to attempts to access user accounts
- Virus contains several components -
MWD.EXE (53,248 bytes) – copy of virus
WDS.BAT (1,229 bytes) – Batch script installer
WDS2.BAT (500 bytes) – Batch script installer
WDS3.BAT (544 bytes) – Batch script installer
PSEXEC.EXE – freeware Utility used to initiate applications as a process
MSWINSK.OCX – ActiveX program used for Winsock connectivity
- Virus attempts to scan for systems which are potential
target hosts – if one is found across the network,
Virus will attempt to connect and copy itself to that
target system – below is a list of files contained
within the viral package
- Virus attempts to map to target systems using the
Administrator account in Windows NT/2000 English or
French versions (Administrator, Administrateur, Administrador,
admin) – the virus attempts to connect using
the following passwords –
""
"admin"
"administrator"
"password"
"server"
"123"
"KKKKKKK"
- Virus contains the string “mwd Storm of Grasp”
in its code