Home / malware Virus:Win32/Grenam.A
First posted on 26 March 2012.
Source: MicrosoftAliases :
Virus:Win32/Grenam.A is also known as Win32/Delf.NRJ worm (ESET), W32/Renamer-K (Sophos), Virus.Win32.Renamer.j (Kaspersky).
Explanation :
Virus:Win32/Grenam.A is a companion virus written in Delphi that is 534,016 bytes in size, and infects files with .exe extensions.
Top
Virus:Win32/Grenam.A is a companion virus written in Delphi that is 534,016 bytes in size, and infects files with .exe extensions. The exact nature of companion viruses varies; this particular virus replaces legitimate program files with a copy of itself, then, when an infected user runs the program, the virus runs as well.
Installation
Virus:Win32/Grenam.A may be installed by other malware, or arrive as an email attachment.
Spreads via...
File infection
Once executed, the virus recursively enumerates folders on drives beginning with the drive C:. The virus will infect files found on mapped networked and attached drives, provided the security context where the virus was executed allows it.
Once an executable for infection is found, the virus will copy it as g<original file name>.exe with a "hidden" attribute, and then copy itself with the original program's name and icon; if the icon is not present in the resources of the original file, the virus will use its own icon and will leave a 0 size file g<original file name>.ico, as seen in the image below:
The virus will not infect if it finds that the g<original file name>.exe already exists. It will only infect 123 files at a time, run the original program, then exit.
Virus:Win32/Grenam.A uses ShellExecute to run a renamed original file.
Additional information
When executed, the virus checks and sets a mutex "Paint" to ensure that a single copy of the virus is running at one time.
Analysis by Oleg Petrovsky
Last update 26 March 2012
