I am Sorry !!!!!
Updated: Jan 17, 2025 12:02 pm
WePC is reader-supported. When you buy through links on our site, we may earn an affiliate commission. Prices subject to change. Learn more
It feels like every other day, we hear about some virus or other causing havoc in critical systems around the world, but how many of them ever stop to apologise? A cybersecurity YouTuber named Eric Parker has unpacked a mysterious virus that seeks only to replicate itself and go on an apologising streak. This is Ground.exe, the “I am Sorry !!!!!” virus.
Not much is known about where Ground.exe came from. Still, it seems to have originated around 2020 when users started to report strange text appearing on .JPG images after pirating content associated with Dark Souls 3. So, let this serve as a cautionary tale against pirating games.
What does Ground.exe do?
This virus seems pretty harmless on the surface, as it’s not known to be any backdoor or info stealer. It just seems to want to replicate and apologise for everything. However, it is destructive by nature in how it goes about replicating. It’s important to note that Windows Defender (and any half-decent antivirus) will flag this file immediately as malicious; however, when pirating games, it’s common for users to disable antivirus software that may interrupt the pirating process.
When run, Ground.exe will start a process and replicate itself with the name of another executable you have in the source folder. It will then take the original.exe, place a “g” before the name, and hide the file. For example, if you had a “games.exe” file that Ground decided to attack, the original file would be named “gGames.exe” and stashed away, where nobody would find it (unless you enable hidden folders in Explorer).
It’s thought this is how the virus spreads and why online posts suggest it originated from Dark Souls 3 content. Users could have unknowingly spread an infected executable file. Once you restart your PC, Ground will make its way into your startup files, and then, it’s pretty much game over. It’ll continue to infect more and more executables until it eventually reaches something critical to Windows.
Here’s a VirusTotal analysis of one of the Ground.exe files roaming the internet. One or two flags could be deemed suspicious, but this thing lit up like a Christmas tree. You can find the root of the virus in AppData/Roaming; that seems to be where it most commonly installs itself.
Where’s the apology?
If you have any .JPG files on your PC, like the executables that are slowly taken over, you’ll notice the text “I am Sorry !!!!!” written in the bottom left corner of JPG photos. Below is an example of what to look out for.
Again, it’s unknown where this virus originated from, but it’s pretty complex in how it operates; Eric Parker does a 10-minute deep dive into how the virus works from a technical point of view, and it’s fascinating.
Eric notes in his video that this virus is still active and must be spreading. When we were researching hash nu,bers for Ground.exe, we noticed a few recent searches indicating that at least a few people are interested in the file (or are infected by it).
How to get rid of Ground.exe?
It depends on what stage of the infection you are at and what files have been infected. The safest port of call is to completely 0-out the drive and re-install Windows. There’s no indication that Ground can infect firmware on GPUs or motherboards; as far as we know, it has to stay within the OS.
One easy tell is to note the file size of whatever you have downloaded. Ground.exe seems always to be 522 KB. So, if you notice a file you think should be bigger, it’s best to steer clear. If you have downloaded an infected file but have not run the executable, it’s safe to trash it.
As always, the best way to get rid of a virus is not to have it in the first place. Ensure you practice safe browsing and do not download anything from unregulated or non-trusted sources. Do not download any software that isn’t directly from the manufacturer; of course, don’t pirate any games. Something you should do, though, is watch Eric Parker’s video on the subject!
