| Port No | 1115 |
| Service Name | GREZ |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | This worm comes with WORM_GREZ.A. It comes as the following three files, working together to contribute to WORM_GREZ.A's propagation: Zerg.vbe ii.vbe rrpc.vbe Trend Micro detects these files as WORM_GREZ.B. This worm needs the following files to work properly: wscript.exe 1.txt 2.txt 3.txt 4.txt 5.txt rep.exe rn.exe rrpc.exe rscan.exe rssdd.exe slimftpd.conf slimftpd.exe It works together with WORM_GREZ.A. It doesn't execute properly without the other components being dropped by WORM_GREZ.A. It terminates the following processes if running in memory: n.exe RSDD.exe hftp.exe scan.exe rpc.exe rn.exe rscan.exe SlimFTPd.exe |
| Reference Link | GREZ |
| Attack | Solutions: Removing autostart entries from the registry prevents the malware from executing at startup. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft> Windows NT>CurrentVersion>Windows In the right panel, locate the entry: load = "%System%\zerg.vbe" (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.) Still in the right panel, modify this entry as follows: load = "" In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft> Windows NT>CurrentVersion>Windows In the right panel, locate the entry: Programs = "com.exe.bat.pif.cmd.vbe" Still in the right panel, modify this entry as follows: Programs = "com.exe.bat.pif.cmd" Close Registry Editor. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.