Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Gluber.B is a worm spreading in the form of an attachment of the e-mail messages, and within the shared disks of PC networks. It works in Windows 95 or newer versions of Windows operating system. Its body has a length of 19526 bytes, and it is compressed by UPX utility. After it is decompressed its length is approximately 188 Kb.
Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.
The worm arrives with an e-mail message having the subject, text of the body and the name of the file in the attachment randomly chosen from predefined text strings located in the worm's body. The message subject is one of the following.
Buy 1 Free 2
The name of the file in attachment of an e-mail message is created so that one of the extensions exe, com, pif or bat is attached to one of the following text strings.
In the body of the message there is one of the following texts.
Hey! It's that what you want! I hope so! Check the file
first then reply back if you have problem!
For the truth of love! I have suprise to you! Please baby forgive me!
Oh my god! It's that you! Helo! Helo! So, this is gift for christmas day!
I have a problem here. I have encrypt the file that contain my message problem. The password is 'helpx'. Plz reply back!
A message you have received has been converte to an attachment. I sorry cause that problem.
After the file with the worm is run Win32/Gluber.B copies itself as a file djfgucxr.exe into the directory %system%, and also into the root directory of C: drive using randomly created filename. It assures its activation after restarting the operating system modifying the file system.ini in Windows 95/98/Me or system registry in Windows NT/2000/XP. It adds following line to the section [boot] of the system.ini file.
Win32/Gluber.B acquires addresses for its spreading searching the files on the hard disk. Doing this it scans the files having extension WAB, TXT, MHT, HTM, HTML, EML, JSE, ASP, DBX, MBX, MMF, TBB, NCH, ODS and VCF.
Win32/Gluber.B spreads also via available shared disks of an network. It copies itself to these disks as a file with randomly chosen name having one of the following extensions exe, com, pif or bat. It inactivates processes having names as per following list.
In addition to above given processes the worm inactivates also processes having following strings in their names.
Win32/Gluber.B enables the remote control of an infected computer. There is a text W32.Narita in the body of the worm.
The detection of Win32/Gluber.B using sample is added from the version 1.587.
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.