Microsoft security software detects and removes this threat.

This virus can infect files with a .exe extension. When these files are run, the virus will run instead.

Find out ways that malware can get on your PC.  

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other hidden malware.

Additional remediation instructions for this threat

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following links can help change these settings back to what you want:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Virus:Win32/Grenam.A is a companion virus written in Delphi that is 534,016 bytes in size, and infects files with .exe extensions. The exact nature of companion viruses varies; this particular virus replaces legitimate program files with a copy of itself, then, when an infected user runs the program, the virus runs as well. 


Virus:Win32/Grenam.A  may be installed by other malware, or arrive as an email attachment.

Spreads via...

File infection

The virus recursively enumerates folders on drives beginning with the drive C:. The virus will infect files found on mapped networked and attached drives, provided the security context where the virus was run allows it.

Once an executable for infection is found, the virus will copy it as g<original file name>.exe with a "hidden" attribute, and then copy itself with the original program's name and icon; if the icon is not present in the resources of the original file, the virus will use its own icon and will leave a 0 size file g<original file name>.ico, as seen in the image below:

The virus will not infect if it finds that the g<original file name>.exe already exists. It will only infect 123 files at a time, run the original program, then exit. 

Virus:Win32/Grenam.A uses ShellExecute to run a renamed original file. 

Additional information

When run, the virus checks and sets a mutex "Paint" to ensure that a single copy of the virus is running at one time.  

Analysis by Oleg Petrovsky



Alerts from your security software may be the only symptom.


Alert level: Severe
First detected by definition: 1.121.1078.0
Latest detected by definition: 1.193.1582.0 and higher
First detected on: Mar 07, 2012
This entry was first published on: Mar 19, 2012
This entry was updated on: Oct 12, 2014

This threat is also detected as:
  • Win32/Delf.NRJ worm (ESET)
  • W32/Renamer-K (Sophos)
  • Virus.Win32.Renamer.j (Kaspersky)