high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | July 2005 (3.95) |
| Protection available since | 24 January 2005 21:31:26 (GMT) |
| Last updated | 27 May 2005 21:55:13 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting macro viruses.
Please contact technical support.
More Information
VBS/Gormlez-A is an email and P2P worm written in VBS.
VBS/Gormlez-A may attempt to display a message box with the title
"This is the w0rk of g0mez"
and the body text
"Y0ur c0mputer has been infected by G0mez!
VBS/Gormlez-A attempts to copy itself to the following locations:
C:\Hello.vbs
C:\WINDOWS\System32\VBS_Update-0548656X.vbs
C:\WINDOWS\WinFIX1.0.vbs
C:\WINDOWS\WinUpdater5.0.vbs
C:\ICQNET.vbs
C:\WINDOWS\System32\G0mez.vbs
VBS/Gormlez-A attempts to set the following entries so as to run the copies when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
VBS_AUTO_UPDATE
"C:\WINDOWS\System32\VBS_Update-0548656X.vbs"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
FIX =
"C:\WINDOWS\WinFIX1.0.vbs"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
UPDATE =
"C:\WINDOWS\WinUpdater5.0.vbs"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ICQ =
"C:\ICQNET.vbs"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
G0mez =
"C:\WINDOWS\Systems32\G0mez.vbs"
VBS/Gormlez-A looks for the presence of the following folders:
C:\Program Files\KMD\My Shared Folder
C:\Program Files\KaZaA Lite\My Shared Folder
C:\Program Files\Morpheus\My Shared Folder
C:\Program Files\BearShare\Shared
C:\Program Files\Edonkey2000\Incoming
If these folders exist, VBS/Gormlez-A copies itself to them with the following filenames:
Porno-Pic.Jpg.vbs
Cool-Games.Exe.vbs
IN-DA-CLUB.Mp3.vbs
SecretFBIDocs.doc.vbs
HowToRipDVDs.txt.vbs
PORNO.mpg.vbs
COOL-GAMES.exe.vbs
VBS/Gormlez-A attempts to set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDrives =
0x03ffffff
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoRun =
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\
Disabled =
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools =
1
VBS/Gormlez-A attempts to email itself using Microsoft Outlook Express to addresses found in the infected computer's Windows address book. Emails sent have the following characteristics:
Subject line:
Re: Hello
Message text:
Hey There :-)
Attached filename:
Hello.vbs
VBS/Gormlez-A may write entries in the registry under
HKCU\Software\Microsoft\WAB
in order to count emails sent.
VBS/Gormlez-A may attempt to drop a file C:\WARNING.txt containing the following text:
You have been infected by G0mez!
Go to any AV sites and update you AV software !!!
- Best Regards: G0mez Author
VBS/Gormlez-A may attempt to shut down the infected computer, sometimes displaying a message box in the process which contains text including
"G0mez will now shutdown the computer!".
VBS/Gormlez-A may attempt to replace files it finds with extensions DLL, VBS, VBE, EXE or WSH with a copy of itself but with a VBS extension. VBS/Gormlez-A may also replace files called "Norton" with a copy of itself.
|
