Virus Gedza (Gaggle)
This is a mass-mailing worm.
The worm retrieves email addresses from the files on the computer.
The worm creates some copies of itself and some other files in the %System% folder.
NOTE: %System% is a variable.
The worm locates the Windows installation folder (by default, this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
It opens an Internet Explorer window and displays the file, %System%\AvrilLavigne.jpg.
Adds the values:
"Kernel32"="%System%\Kernel32.win"
"Israfel"="%System%\Israfel.vbs"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Modifies the default value to:
"(Default)"="GEDZAC"
in the registry keys:
HKEY_CLAssES_ROOT\regfile\shell\open\command
HKEY_CLAssES_ROOT\keyfile\shell\open\command
Modifies the value to:
"Timeout"="0"
in the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Scripting Host\Settings
Modifies the value to: "DisableRegistryTools"="1"
in the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System
HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\
Policies\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Policies\System
Copies itself to the remote computer as autorun.vbs. Then, it overwrites the autoexec.bat file with the line:
@win \autoexec.vbs
© Copyright 2000-2008 AnVir Software. All Rights Reserved.
