Gruel, also known as Fakerr is a dangerous email worm on some Win32 devices that began spreading in 2003, targeting machines running Windows 98 and later. The worm arrives on your system as an attachment in an email claiming to be an important update from Microsoft, and is often spread through Kazaa.
When the user executes the program, it displays a fake error message which the user cannot move or close. When the user presses Send Error in the dialogue box, the worm mass-mails itself to all the user's contacts. When the user presses Send and Close, it terminates the Explorer.exe process, opens various default settings windows, opens the CD-ROM tray, and displays a message that cannot be closed, which contains two buttons, "Retry" and "Cancel".
The text of the error message is as follows:
Your computer now is mine, Why? Because I didn't had nothing to do and I thought, why not make the evil? Remember NOW YOUR PC IS IN MY POWER Windows Sucks! I can't stand it anymore! Windows has always sucked. Wake up people! It's a scam! You don't need a faster computer. You need a better operating system. Microsoft continuingly [sic] makes money by selling you the latest and greatest Windows. The latest Windows version is always the most inefficient yet, slowing down your fast computer. Also, now you have to upgrade all your other software too because different Windows versions are not compatible with each other! A hidden cost not mentioned at all. It's part of the scam. Capitalism Sucks! Communism Sucks. KILLERGUATE.
Although Task Manager is usually disabled, the Worm's process name is labelled as whatever the name the Gruel executable had when it was ran for the first time.
Then the worm copies itself with hidden attribute to the root folder of C: drive as RUNDLL32.EXE file and modifies startup keys for the following file extensions:
The worm also creates/modifies several Registry entries, that do not allow system logoff, closing of Explorer, opening Task Manager, locking of workstation and changing a password.
The worm tries to copy itself as 'Norton 2003 Pro.exe' file to the Kazaa P2P client's shared folder, but there's an error in that routine and such an event never happens. The worm has an additional, dangerous payload which is only used in some variant. It can delete the following files from an infected hard drive:
C:\WINNT\system32\ntoskrnl.exe C:\WINNT\system32\command.com C:\WINNT\regedit.exe C:\windows\system32\ntoskrnl.exe C:\windows\system32\command.com C:\windows\regedit.exe C:\AUTOEXEC.bat C:\config.sys C:\WINNT\system32\*.exe C:\WINNT\system32\*.com C:\WINNT\system32\*.dll C:\WINNT\system32\*.ocx C:\windows\system32\*.dll C:\windows\system32\*.ocx C:\windows\system32\*.exe C:\windows\system32\*.com
Also, the worm can delete all files from the following folders:
C:\WINNT\system (Windows 2000) C:\windows\system (Windows 9x - XP and up) C:\WINNT\system32 (Windows 2000) C:\windows\system32 (Windows 9x - XP and up) D:\
The worm changes the Internet Explorer title to:
kIlLeRgUaTe 1.03, I mAke ThIs vIrUs BeCaUsE I dOn'T hAvE NoThInG tO dO!!
It copies itself to the desktop and Control Panel as "kIlLeRgUaTe 1.03".
Upon restarting the computer, the full extent of the worm's destruction can be realized. If it managed to delete files, the computer may not boot up at all, forcing the user to reinstall Windows. If the computer boots up, it can make the C:\ drive inaccessible through Explorer or My Computer, and removes the Run option from the Start Menu and Task Manager. (Windows 9x - XP and up) This makes it next to impossible to remove the registry keys that the worm created. On top of this, the worm hooks all .exe, .pif, .scr and .com files to itself, much like the Hippi virus, making the computer basically unusable. The worm basically renders the Registry destroyed, and with no way of inserting any mass storage devices containing a substitute Registry file (due to Explorer being inaccessible), the only way to repair the computer (without significant knowledge in the vast-scale repair of an entire system's registry) would be to either format or replace the hard drive.
However, it is possible to remove the worm relatively easily if the user knows what techniques and steps to take. On Windows Vista and up, Gruel may behave unusually and not carry out its full payload. Numerous videos from the YouTube user "WIN2K3R2" show the worm being successfully deactivated. These videos have also shown the worm in more detail.
Propagation and Spreading Routine
The worm spreads itself in e-mails to all addresses found in the User's Outlook address book, using this subject, body and attachment:
Symantec: New serious virus found
Norton Security Response: has detected a new virus in the Internet. For this reason we made this tool attachement, to protect your computer from this serious virus. Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 5 (Maximum ).
This attachment is the worm itself.
- Gruel's fake error message, upon closer inspection, has numerous graphical, grammatical and spelling errors which makes its fake nature immediately obvious:
- 'Microsoft' is in lower case.
- The fake error message is thinner than a legitimate error message of its specific type.
- 'Windows has encountered a problem a needs to close'
- 'We have created an error message thet you cand send to us'
- 'we will treat this report as confidential and anounymous'
- 'Windows X found serious error' (No error dialog box of this type mentions this phrase. Although a 'Windows X' (Windows 10) does exist, this is entirely coincidental - More likely, it seems as if this phrase was meant to be different based on what OS version (95, 98, XP) the user was running.)
Thus, this worm takes advantage of impatient users who would most likely click on the 'Send and Close' button without taking a closer look at the dialog box itself.
In some cases, Internet Explorer still functions, as seen in the end of this 'review' of Gruel by danooct1.
Microsoft Word still functions, as seen in the end of this 'review' of Gruel by oniaom.
How to remove
A Removal guide for Gruel can be found at this link.