W32/Gimlet-A is a worm for the Windows platform.
When first run W32/Gimlet-A copies itself to:
<Root>\AVG 2007.exe
<Root>\AVG_update_2007.exe
<Windows>\Resources\System.scr
<System>\Notepad.scr
<System>\Proposal.scr
and creates the following files:
<Root>\W32.PIGLET II.jpg - may be deleted
<Root>\autorun.inf - may be deleted
The worm may create additional copies of itself and autorun.inf on removeable storage devices, in order to spread.
The following registry entries are created to run Notepad.scr on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EYORE
<System>\Notepad.scr
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EYORE
<System>\Notepad.scr
The following registry entry is set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSetFolders
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSetTaskbar
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Disabled
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
EYORE
<System>\Notepad.scr
HKLM\SOFTWARE\Policies\Microsoft\Windows NT
DisableConfig
1
HKLM\SYSTEM\CurrentContolSet\Control\SafeBoot
AlternateShell
<System>\Notepad.scr %1 %*
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCR\Unknown\shell\openas\command
(default)
<System>\Notepad.scr %1 %*
Registry entries are created under:
HKCR\Flash.Movie\shell\open\command
HKCR\movfile\shell\open\command
HKCR\phpfile\shell\open\command
HKCR\scrfile\DefaultIcon
These registry entries may override the default handlers for the above types.