Gruel, also referred to by F-Secure as Fakerr, was a worm first surfacing in 2003 targeting Microsoft Windows platforms such as Windows 9x, Windows ME, Windows 2000 and Windows XP. It spread via email and file sharing networks.[1][2]

Gruel
Dialogue box displayed by the worm
AliasFakerr
TypeComputer worm
Technical details
PlatformWindows 9x, Windows ME, Windows 2000 and Windows XP
Size102,400 bytes

Symptoms

edit

Arrival and initial launch

edit

The worm arrived as an attachment with various names in emails claiming to be a security update from either Microsoft or Symantec, depending on the variant.[3][4] When run, the worm installs itself to the system and displays a fake Windows Error Reporting dialog box, which the user cannot move or close and contains two buttons: "Send Error" and "Send and Close", if the user clicks on the "Send Error" button, the worm mass-mails itself to all the user's contacts and displays fictitious "technical details" about the supposed error report, which contains a Back button and a Close button. Clicking the Back button will return to the original error reporting box, whereas the Close button does not do anything. When the user presses "Send and Close", the worm will disable or terminate Windows Explorer, eject the CD/DVD drive, open many Control Panel options, and then display a dialogue box that cannot be closed, which contains two buttons, "Retry" and "Cancel".

The text of the error message, riddled with grammatical errors, is as follows:

Your computer now is mine, Why? Because I didn't had nothing to do and I thought, why not make the evil? Remember NOW YOUR PC IS IN MY POWER! Windows Sucks! I can't stand it anymore! Windows has always sucked. Wake up people! It's a scam! You don't need a faster computer. You need a better operating system. Microsoft continuingly makes money by selling you the latest and greatest Windows. The latest Windows version is always the most inefficient yet, slowing down your fast computer. Also, now you have to upgrade all your other software too because different Windows versions are not compatible with each other! A hidden cost not mentioned at all. It's part of the scam. Capitalism Sucks!, Communism Sucks. KILLERGUATE.[5]

Secondary payload

edit

After carrying out the above payload, the virus hangs the operating system, requiring users to perform a Hard boot by forcibly shutting the machine down by cutting the power, then turning the machine back on. Afterwards, the PC is completely unusable, as all .bat, .com, .exe, .ht, .hta, .pif and .scr files have been hooked to the virus itself – by attempting to run any of the programs, the worm is simply activated again and will release its primary payload once more.

See also

edit

References

edit
  1. ^ "Fakerr Description - F-Secure Labs". www.f-secure.com.
  2. ^ "W32.Gruel@mm". Symantec. Archived from the original on February 5, 2007. Retrieved 10 December 2013.
  3. ^ "'Gruel' worm poses as Microsoft patch and Symantec tool". ComputerWeekly.com. 17 July 2003. Retrieved 10 December 2013.
  4. ^ "Virus Alert: Several Variants of Gruel Worm Reported". eSecurityPlanet. 18 July 2003. Retrieved 10 December 2013.[permanent dead link]
  5. ^ "W32/Gruel-D". Sophos. Retrieved 16 December 2013.