Event ID - 2001

Port No2001
Service NameGREZ
RFC Doc0
ProtocolTCP
DescriptionThis worm comes with WORM_GREZ.A. It comes as the following three files, working together to contribute to WORM_GREZ.A's propagation:

Zerg.vbe
ii.vbe
rrpc.vbe
Trend Micro detects these files as WORM_GREZ.B.

This worm needs the following files to work properly:
wscript.exe
1.txt
2.txt
3.txt
4.txt
5.txt
rep.exe
rn.exe
rrpc.exe
rscan.exe
rssdd.exe
slimftpd.conf
slimftpd.exe
It works together with WORM_GREZ.A. It doesn't execute properly without the other components being dropped by WORM_GREZ.A.

It terminates the following processes if running in memory:

n.exe
RSDD.exe
hftp.exe
scan.exe
rpc.exe
rn.exe
rscan.exe
SlimFTPd.exe
Reference LinkGREZ
AttackSolutions:

Removing autostart entries from the registry prevents the malware from executing at startup.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows NT>CurrentVersion>Windows
In the right panel, locate the entry:
load = "%System%\zerg.vbe"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)
Still in the right panel, modify this entry as follows:
load = "" In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows NT>CurrentVersion>Windows
In the right panel, locate the entry:
Programs = "com.exe.bat.pif.cmd.vbe"
Still in the right panel, modify this entry as follows:
Programs = "com.exe.bat.pif.cmd"
Close Registry Editor.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.