Virus:Win32/Grenam.A is a companion virus written in Delphi that is 534,016 bytes in size, and infects files with .exe extensions. The exact nature of companion viruses varies; this particular virus replaces legitimate program files with a copy of itself, then, when an infected user runs the program, the virus runs as well.
Virus:Win32/Grenam.A may be installed by other malware, or arrive as an email attachment.
The virus recursively enumerates folders on drives beginning with the drive C:. The virus will infect files found on mapped networked and attached drives, provided the security context where the virus was run allows it.
Once an executable for infection is found, the virus will copy it as g<original file name>.exe with a "hidden" attribute, and then copy itself with the original program's name and icon; if the icon is not present in the resources of the original file, the virus will use its own icon and will leave a 0 size file g<original file name>.ico, as seen in the image below:
The virus will not infect if it finds that the g<original file name>.exe already exists. It will only infect 123 files at a time, run the original program, then exit.
Virus:Win32/Grenam.A uses ShellExecute to run a renamed original file.
When run, the virus checks and sets a mutex "Paint" to ensure that a single copy of the virus is running at one time.
Analysis by Oleg Petrovsky