Sophos

W32/Gommer-A

Aliases
  • IRC/Flood.mirc
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Chat programs
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 20 February 2006 11:26:27 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Gommer-A is a worm for the Windows platform.

W32/Gommer-A spreads via the mIRC chat program. The worm sends the following messages to users on the same channel, with a link to the worm:

"WARNING :: Ur' Pc has been Infected by Backdoor.IRC.Jemput Virus!! Plzz remove it! If not U will be permanently Banned from server. Use <link> to remove the virus"

"CUIDADO!! :: Seu PC esta infectado pelo virus Backdoor.IRC.Jemput. Se voce nao remove-lo sera permanentemente banido da rede. Para remover este virus, utilize esta vacina: <link>"

"Gerador de creditos para celular gratis! Gera creditos de todas as operadoras do Brasil!! Baixe em <link>"

"Baixe agora mesmo o Gerador Steam de CS para jogar nos servidores originais! Acesse ja o link <link> e divirta-se"

W32/Gommer-A includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Gommer-A copies itself to <Common Files>\system\(5BB5AD01-5EF7-40EC-93C7-5B152124146CA) \userinit.exe and creates the following files:

<Common Files>\system\(5BB5AD01-5EF7-40EC-93C7-5B152124146CA) \system\config.sys
<Common Files>\system\(5BB5AD01-5EF7-40EC-93C7-5B152124146CA) \system\cwin.ini
<Common Files>\system\(5BB5AD01-5EF7-40EC-93C7-5B152124146CA) \system\kernel.dll
<Common Files>\system\(5BB5AD01-5EF7-40EC-93C7-5B152124146CA) \system\stream.ocx
<Common Files>\system\(5BB5AD01-5EF7-40EC-93C7-5B152124146CA) \system\svchost.exe
<Common Files>\system\(5BB5AD01-5EF7-40EC-93C7-5B152124146CA) \system\users.cfg
<Common Files>\system\(5BB5AD01-5EF7-40EC-93C7-5B152124146CA) \system\wget.exe
<Common Files>\system\(5BB5AD01-5EF7-40EC-93C7-5B152124146CA) \system\zip.exe

These files are all clean, and may safely be deleted.

The following registry entry is created to run userinit.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Service Hosting
<Common Files>\System\(5BB5AD01-5EF7-40EC-93C7-5B152124146CA) \USERINIT.exe

The following registry entries are set or modified, so that svchost.exe is run when files with extensions of CHA and IRC are opened/launched:

HKCR\ChatFile\Shell\open\command
(default)
<Common Files>\System\(5BB5AD01-5EF7-40EC-93C7-5B152124146CA) \system\svchost.exe" -noconnect

HKCR\irc\Shell\open\command
(default)
<Common Files>\System\(5BB5AD01-5EF7-40EC-93C7-5B152124146CA) \system\svchost.exe" -noconnect

Registry entries are set as follows:

HKCR\ChatFile\DefaultIcon
(default)
<Common Files>\System\(5BB5AD01-5EF7-40EC-93C7-5B152124146CA) \system\svchost.exe

HKCR\irc\DefaultIcon
(default)
<Common Files>\System\(5BB5AD01-5EF7-40EC-93C7-5B152124146CA) \system\svchost.exe

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer