Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Gluber.B

W32.Beglur.B, W32.Narita

Win32/Gluber.B is a worm spreading in the form of an attachment of the e-mail messages, and within the shared disks of PC networks. It works in Windows 95 or newer versions of Windows operating system. Its body has a length of 19526 bytes, and it is compressed by UPX utility. After it is decompressed its length is approximately 188 Kb.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The worm arrives with an e-mail message having the subject, text of the body and the name of the file in the attachment randomly chosen from predefined text strings located in the worm's body. The message subject is one of the following.

Hi!
Bad news!
Free porn!
Report!
Hack me!
Bussiness
News!
Warning!
hello
Buy 1 Free 2
Need help!
plz!
Re:
great!
you are!
Your resume
Update
Spend Money
Too easy
oh wow
nice job!

The name of the file in attachment of an e-mail message is created so that one of the extensions exe, com, pif or bat is attached to one of the following text strings.

setup
readme
quiz
logfile
document
news
video
music
text
card
credit
collection
brand
request
fees
pictures
image
magazine
computers
multi
help
problem

In the body of the message there is one of the following texts.

Hey! It's that what you want! I hope so! Check the file first then reply back if you have problem!


By

Alex Pravoks

For the truth of love! I have suprise to you! Please baby forgive me!


Ronn Elika

Oh my god! It's that you! Helo! Helo! So, this is gift for christmas day!


Orlian Jieg

Hello friend,

I have a problem here. I have encrypt the file that contain my message problem. The password is 'helpx'. Plz reply back!

A message you have received has been converte to an attachment. I sorry cause that problem.
<webmaster@winzip.com>

After the file with the worm is run Win32/Gluber.B copies itself as a file djfgucxr.exe into the directory %system%, and also into the root directory of C: drive using randomly created filename. It assures its activation after restarting the operating system modifying the file system.ini in Windows 95/98/Me or system registry in Windows NT/2000/XP. It adds following line to the section [boot] of the system.ini file.

shell=Explorer.exe Djfgucxr.exe

Win32/Gluber.B acquires addresses for its spreading searching the files on the hard disk. Doing this it scans the files having extension WAB, TXT, MHT, HTM, HTML, EML, JSE, ASP, DBX, MBX, MMF, TBB, NCH, ODS and VCF.

Win32/Gluber.B spreads also via available shared disks of an network. It copies itself to these disks as a file with randomly chosen name having one of the following extensions exe, com, pif or bat. It inactivates processes having names as per following list.

AVPM.EXE
AVP32.EXE
AVPMON.EXE
ZONEALARM.EXE
VSHWIN32.EXE
VET95.EXE
TBSCAN.EXE
SERV95.EXE
SCAN32.EXE
RAV7.EXE
NAVW.EXE
OUTPOST.EXE
NMAIN.EXE
NAVNT.EXE
MPFTRAY.EXE
LOCKDOWN2000.EXE
ICSSUPPNT.EXE
ICLOAD95.EXE
IAMAPP.EXE
FINDVIRU.EXE
F-AGNT95.EXE
DV95.EXE
DV95_O.EXE
CLAW95CT.EXE
CFIAUDIT.EXE
AVWUPD32.EXE
AVPTC32.EXE
_AVP32.EXE
AVGCTRL.EXE
APVXDWIN.EXE
_AVPCC.EXE
AVPCC.EXE
WFINDV32.EXE
VSECOMR.EXE
TDS2-NT.EXE
SWEEP95.EXE
SCRSCAN.EXE
SAFEWEB.EXE
PERSFW.EXE
NAVSCHED.EXE
NVC95.EXE
NISUM.EXE
NAVLU32.EXE
MOOLIVE.EXE
JED.EXE
ICSUPP95.EXE
IBMAVSP.EXE
FRW.EXE
F-STOPW.EXE
ESPWATCH.EXE
DVP95.EXE
CLAW95.EXE
CFIADMIN.EXE
AVWIN95.EXE
AVP.EXE
AVE32.EXE
ANTI-TROJAN.EXE
WEBSCAN.EXE
WEBSCANX.EXE
VSSCAN40.EXE
TDS2-98.EXE
SPHINX.EXE
SCANPM.EXE
RESCUE.EXE
PCFWALLICON.EXE
PAVCL.EXE
NUPGRADE.EXE
NAVWNT.EXE
NAVAPW32.EXE
LUALL.EXE
IOMON98.EXE
ICMOON.EXE
IBMASN.EXE
FPROT.EXE
F-PROT95.EXE
ESAFE.EXE
CLEANER3.EXE
EFINET32.EXE
BLACKICE.EXE
AVSCHED32.EXE
AVPDOS32.EXE
AVPNT.EXE
AVCONSOL.EXE
ACKWIN32.EXE
VSSTAT.EXE
VETTRAY.EXE
TCA.EXE
SMC.EXE
SCAN95.EXE
RAV7WIN.EXE
PCCWIN98.EXE
PADMIN.EXE
NORMIST.EXE
NAVW32.EXE
N32SCAN.EXE
LOOKOUT.EXE
IFACE.EXE
ICLOADNT.EXE
IAMSERV.EXE
FP-WIN.EXE
F-PROT.EXE
ECENGINE.EXE
CLEANER.EXE
CFIND.EXE
BLACKD.EXE
AVPUPD.EXE
AVKSERV.EXE
AUTODOWN.EXE
_AVPM.EXE
REGEDIT.EXE
TASKMGR.EXE
CCEVTMGR.EXE
CCAPP.EXE
REGEDIT.COM
HH.EXE
COMMAND.COM
CMD.EXE
RSTRUI.EXE
LUCOMSERVER.EXE
STIMON.EXE
FIXBUG.EXE
FIXBUGB.EXE
AVGSERV9.EXE
NOTEPAD.EXE
RULAUNCH.EXE

In addition to above given processes the worm inactivates also processes having following strings in their names.

Norton
AV
Anti
Vir
McAfee
viru
anti
hack
Registry
view
spy
scan
monitor
tool
task
pad

Win32/Gluber.B enables the remote control of an infected computer. There is a text W32.Narita in the body of the worm.

The detection of Win32/Gluber.B using sample is added from the version 1.587.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.