Gronev.A
Threat LevelDamageDistribution

Effects 

Gronev.A carries out the following actions:

• When it is run, the Windows Media Player is opened and a song called Lagu is played.
• When the CMD shell is accessed, a window like the following is displayed:
  
  
  and it creates a username called Vergon with a password, which cannot be accessed. This way, it could remotely control the affected computer.
• Whenever it detects the word Search in the address bar of Internet Explorer, it closes the browser.

Infection strategy 

Gronev.A creates the following files:

• VERGON1885.EXE, in the Windows system directory. This file is a copy of itself.
• MAN.BAT, in the Windows system directory, which belongs to the window that is displayed when the CMD shell is accessed.
• LAGU.MP3, in the Windows directory. This file belongs to the song that is played when Gronev.A is run.

Additionally, it creates the following subfolders in the root directory of the system drives available:
BACKUP
DOC
SECRET
TOOLS
where it creates copies of itself with the following names:
A0011498.EXE
ABG_XXX.3GP.EXE
AVSEQ01.MPG.EXE
IEWMP_10_XPSP2.EXE
WMP_10 FOR XP.EXE
X-EXECUTOR.EXE

Gronev.A creates the following entry in the Windows Registry:

• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  wmplayer = %sysdir%\vergon1885.exe
  where %sysdir% is the Windows system directory.
  By creating this entry, Gronev.A ensures that it is run whenever Windows is started.

Means of transmission 

Gronev.A spreads via mapped drives. In order to do so, it checks if the infected computer is connected to a network.

If so, it makes an inventory of all mapped drives and creates a copy of itself in each of them.

Further Details  

Gronev.A is written in the programming language Visual Basic. This worm is 143,872 bytes in size and it is compressed with PECompact.