Home / malware Trojan:Win32/Grymegat.A
First posted on 29 January 2013.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Grymegat.A.
Explanation :
Installation
When run, Trojan:Win32/Grymegat.A copies itself to the "%APPDATA%\System" folder with the file name "winlogon.exe". The trojan then moves its original copy to "%SystemDrive%\recycler", renames it as "find_me.tmp", and adds it to the list of files that will be deleted when you restart your computer. It does this to hinder detection of the original file.
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\APPDATA\Roaming".
Note: %SystemDrive% refers to a variable location that is determined by the malware by querying the operating system. The drive letter for the System Drive in Windows 2000, XP, 2003, Vista, 7, and 8 is "C:".
The trojan then runs the copy of itself that it placed in the %APPDATA%\System folder.
Trojan:Win32/Grymegat.A may modify any of the following registry entries to ensure its copy runs at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Update"
With data: "%APPDATA%\System\winlogon.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Update"
With data: "%APPDATA%\System\winlogon.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Update"
With data: "%APPDATA%\System\winlogon.exe"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe, %APPDATA%\System\winlogon.exe"
Payload
Prevents you from accessing your desktop
Trojan:Win32/Grymegat.A displays a full-screen message that covers all other windows, rendering your computer unusable (this full-screen message is also known as a "lock screen"). It is a fake warning pretending to be from a legitimate institution which demands the payment of a fine for the supposed possession of illicit material.
Paying the "fine" will not necessarily return your computer to a usable state, so this is not advisable.
The screen may appear similar to the following, which is pretending to be a message from the Federal Bureau of Investigation; the FBI:
Connects to remote servers
In the wild, we have observed Trojan:Win32/Grymegat.A downloading the lock screen messages from the following URLs:
- cannedfounders.pro/<removed>/img.php?gimmeImg
- coreldrawmutually.org/<removed>/newpanel/img.php?gimmeImg
- fbicheckps.com/<removed>/img.php?gimmeImg
- testdriveirritation.net/update/<removed>/img.php?gimmeImg
Terminates processes
Trojan:Win32/Grymegat.A terminates the following Windows system-related processes if they are currently running on your computer:
- cmd.exe - command prompt
- regedit.exe - registry editor
- taskmgr.exe - task manager
Bypasses the Windows Firewall
Trojan:Win32/Grymegat.A bypasses the Windows Firewall so that it can establish a connection to another computer. It does this by adding itself to the list of authorized applications that can bypass the firewall:
In subkey: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%APPDATA%\System\winlogon.exe"
With data: "%APPDATA%\System\winlogon.exe:*:enabled:winlogon.exe"
Additional information
Payment methods
We have observed Trojan:Win32/Grymegat.A using the legitimate payment and financial transfer service "Green Dot MoneyPak".
Note: This provider is not affiliated with Trojan:Win32/Grymegat.A.
If you believe you are a victim of fraud involving this services, you should contact them along with your local authorities.
Please also see the following Microsoft advisory for additional advice:
- What to do if you are a victim of fraud
Analysis by Daniel Radu
Last update 29 January 2013