W32/Gimlet-A

Aliases	Win32/VB.GY worm Worm.Win32.VB.gy Generic.dx
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Removable storage devices
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	August 2007 (4.20)
Protection available since	9 June 2007 15:13:37 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Gimlet-A is a worm for the Windows platform.

When first run W32/Gimlet-A copies itself to:

<Root>\AVG 2007.exe
<Root>\AVG_update_2007.exe
<Windows>\Resources\System.scr
<System>\Notepad.scr
<System>\Proposal.scr

and creates the following files:

<Root>\W32.PIGLET II.jpg - may be deleted
<Root>\autorun.inf - may be deleted

The worm may create additional copies of itself and autorun.inf on removeable storage devices, in order to spread.

The following registry entries are created to run Notepad.scr on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EYORE
<System>\Notepad.scr

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EYORE
<System>\Notepad.scr

The following registry entry is set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSetFolders
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSetTaskbar
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Disabled
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
EYORE
<System>\Notepad.scr

HKLM\SOFTWARE\Policies\Microsoft\Windows NT
DisableConfig
1

HKLM\SYSTEM\CurrentContolSet\Control\SafeBoot
AlternateShell
<System>\Notepad.scr %1 %*

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCR\Unknown\shell\openas\command
(default)
<System>\Notepad.scr %1 %*

Registry entries are created under:

HKCR\Flash.Movie\shell\open\command
HKCR\movfile\shell\open\command
HKCR\phpfile\shell\open\command
HKCR\scrfile\DefaultIcon

These registry entries may override the default handlers for the above types.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Gimlet-A

Summary

Action

More Information