Hello, I am Foxxy (Qvuen), I am currently learning malware analysis, so enjoy! I apologize for reading and flow issues, I was writing this while I was doing the analysis. Also, please note, most of the words in the analysis that are misspelled like "symantic" were done so by the malware author, not me.

Name: Gruel

Basic Static Analysis

File Type: Portable Executable

Language: Microsoft Visual Basic 5.0/6.0

Compiled: Tuesday, July 14, 2003 at 3:00 am/pm

Packed: No

Dependencies:

Kernel32.dll - Imported to spawn processes and file editing.

User32.dll - Used for windows forms.

GDI32.dll - Used to draw on the screen (windows forms).

AdvAPI32.dll - Imported to edit the registry.

OLE32.dll - Object linking and embedding functions.

OLEAUT32.dll - Used for visual basic applications.

Virus Total: 46/50 of AV engines detected Gruel.exe as malware.

Basic Dynamic Analysis

Behaviors: The worm shows a fake error message, and when Send And Close is selected the worm opens all of the control panel options, it then proceeds to display a message box ranting about Windows. It then adds registry keys that disable viewing drives, using the Run tool, it also attempts to disable taskmgr.exe completely by adding the value "DisableTaskMgr", however, this was either not implemented, or it is broken.

Gruel saves itself to the C:\ directory as Rundll32.exe. It then kills the explorer.exe process. The worm also appears to attempt to copy itself to your shared folders under the name "Norton 2003 pro.exe".

It also tries to open your CD drive, however, this attempt fails. (This may have been due to the fact I ran this in a VM)

The worm spreads itself through the Microsoft Outlook application. The email, according to the strings of gruel.exe, would look something like this:

Subject: Symantic: New serious virus found

Body: Norton Security Response: has detected a new virus in the Internet. For this reason we made this tool attachement, to protect your computer from this serious virus. Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 5 (Maximum ).

RegShot Logs

Regshot 1.9.0 x86 Unicode

Comments:

Datetime: 2014/2/15 20:00:48 , 2014/2/15 20:04:24

Computer: FOXXY-21468ACD7 , FOXXY-21468ACD7

Username: Administrator , Administrator

----------------------------------

Keys added: 50

----------------------------------

The key where gruel hides it's startup value

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MediaPath\

The following keys were created, but they do not show up in a registry editor. (I may have accidentally deleted them at some point)

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx\PropertySheetHandlers

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx\PropertySheetHandlers\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellFolder

Creates a useless, nameless, and blank option in the control panel.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}

There were no values contained in this key, however, it was created by gruel.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}

I do not know what this key does at this time.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-527237240-152049171-682003330-500\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}

I don't think this is important, but I will know later on.

HKU\S-1-5-21-527237240-152049171-682003330-500\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt

I do not know what these do, however, one of them contained assembly code.

HKU\S-1-5-21-527237240-152049171-682003330-500\Software\VB and VBA Program Settings\KILLERGUATE

HKU\S-1-5-21-527237240-152049171-682003330-500\Software\VB and VBA Program Settings\KILLERGUATE\KILLERGUATE

HKU\S-1-5-21-527237240-152049171-682003330-500\Software\kIlLeRgUaTe 1.03

----------------------------------

Values deleted: 2

----------------------------------

Not important

----------------------------------

Values added: 108

----------------------------------

Start C:\rundll32.exe (gruel) on startup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MediaPath\: "C:\rundll32.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Rundll32: "C:\Rundll32.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\DevicePath: "C:\Rundll32.exe"

I do not know why gruel added this key.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\NetCache: "C:\Rundll32.exe"

I do not know why gruel added this key.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProxyDevice: "C:\Rundll32.exe"

I do not know what these keys do, I will look into it later.

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\: "kIlLeRgUaTe 1.03"

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InfoTip: "kIlLeRgUaTe 1.03"

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\: "C:\Documents and Settings\Administrator\Desktop\gruel.exe,0"

I do not know what these keys do, I will look into it later, they don't seem to exist inside the registry. (Again, I may have deleted them on accident)

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32\: "Shell32.dll"

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32\ThreadingModel: "Apartment"

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"

HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellFolder\Attributes: 00 00 00 00

This sets your internet explorer window to contain this text.

HKU\S-1-5-21-527237240-152049171-682003330-500\Software\Microsoft\Internet Explorer\Main\Window Title: "kIlLeRgUaTe 1.03, I mAke ThIs vIrUs BeCaUsE I dOn'T hAvE NoThInG tO dO!!"

This key disables the ability to search in explorer.exe

HKU\S-1-5-21-527237240-152049171-682003330-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind: "1"

This Key disables the Windows+R (run) ability

HKU\S-1-5-21-527237240-152049171-682003330-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: "1"

This key disables your ability to see or access any drives, CD-ROM, C:\, network, etc.

HKU\S-1-5-21-527237240-152049171-682003330-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives: "4"

This key makes sure that gruel doesn't pop up all of the control panel stuff and the messagebox.

HKU\S-1-5-21-527237240-152049171-682003330-500\Software\kIlLeRgUaTe 1.03\FirstRun: "No"

I believe the author created a way to control his malware for testing purposes, it searches for gruel.exe.cfg on the desktop.

HKU\S-1-5-21-527237240-152049171-682003330-500\Software\kIlLeRgUaTe 1.03\Password: (NULL!)

----------------------------------

Values modified: 32

----------------------------------

The following as you might imagine, force Windows to use gruel.exe as the default file parser for .bat, .com, .exe, .hta, .ht, and .pif files.

He neglected to force .scr files to open with gruel, which allows you to use a standalone registry editing tool like Registrar Registry Manager if you change the extension to .scr

HKLM\SOFTWARE\Classes\batfile\shell\open\command\: ""%1" %*"

HKLM\SOFTWARE\Classes\batfile\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"

HKLM\SOFTWARE\Classes\comfile\shell\open\command\: ""%1" %*"

HKLM\SOFTWARE\Classes\comfile\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"

HKLM\SOFTWARE\Classes\exefile\shell\open\command\: ""%1" %*"

HKLM\SOFTWARE\Classes\exefile\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"

HKLM\SOFTWARE\Classes\exefile\shell\runas\command\: ""%1" %*"

HKLM\SOFTWARE\Classes\exefile\shell\runas\command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"

HKLM\SOFTWARE\Classes\htafile\Shell\Open\Command\: "C:\WINDOWS\system32\mshta.exe "%1" %*"

HKLM\SOFTWARE\Classes\htafile\Shell\Open\Command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"

HKLM\SOFTWARE\Classes\htfile\shell\open\command\: ""C:\Program Files\Windows NT\HYPERTRM.EXE" %1"

HKLM\SOFTWARE\Classes\htfile\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"

HKLM\SOFTWARE\Classes\piffile\shell\open\command\: ""%1" %*"

HKLM\SOFTWARE\Classes\piffile\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"

The following keys force the OS to parse autoexec.bat and actually use it, instead of ignoring it. I do not know why, because there is no autoexec.bat in the directory "C:\"

HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec: 31 00 00 00 18 //From 0 (false)

HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec: 31 00 00 00 D8 //To 1 (true)

HKU\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec: 31 00 00 00 18

HKU\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec: 31 00 00 00 D8

----------------------------------

Total changes: 192

----------------------------------

Conclusion, this worm was quickly and sloppily created, as evidenced by many spelling and coding errors, for example, at one point it tried to open "C:\rundll33.exe" instead of rundll32.exe. This worm, while persistent, is not impossible to remove. They covered all of the executable file extensions except one ".SCR". The .SCR extension allows most executables to run, therefore, you can copy a standalone registry editing tool, change its extension to .SCR and remove the keys yourself. After this is complete, restart the computer and delete C:\rundll32.exe and wherever the initial worm was stored.

Upon viewing the strings of the program, I believe that the program would delete or create a new driver at serton times and dates. For example, Kbdclass.sys gets deleted or created on March 10 1997.