Press Releases

Browse our press release archive

02 Nov 2006

Worm poses as Google Gmail update, steals email account details

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have added detection for a "proof-of-concept" spyware worm which poses as a patch for Google's popular Gmail email service.

The W32/Gfail-A worm has been designed to spread via email, but appears to have been intentionally crippled by its author. The worm uses social engineering to entice recipients into clicking on a malicious attachment purporting to be a security update for Gmail's notifier, but actually attempts to steal usernames and passwords from users of the email service.

The emails have the following characteristics:

Subject line: Critical patch for Gmail Notifier and Gmail web services!

Message text:
Dear User,
,due to the recent discoveries of a password vulnerability in Gmail Notifier and a HTML-weakness on the Gmail website, we've after due consideration decided to release an update by e-mail to ensure that our customers are updated with the latest protection.

Please consult the attachment for more information. The details can be found below.


The Gmail Team

Attached to the email is a copy of the worm (using a filename chosen from GmailFix.rar, GmailUpdate.rar, GmailHotfix.rar, GmailPatch.rar, GmailUpdate.exe, gnotify.exe, GmailHotfix.exe, GmailUpdater.exe, or gmailupd.exe). Running this program displays a messagebox claiming that installation was successful, and that users should now log into their Gmail account.

When executed the Gfail worm displays a bogus installation message

When executed the Gfail worm displays a bogus installation message.

However, the login screen displayed is fake and computer users who enter their details risk having their Gmail username and password stolen. The worm also attempts to turn off security-related programs, leading to the possibility of further hacker intrusion onto infected PCs.

"The guys at Google would never use email to get a security fix to their users, so clued-up internet users should be instantly suspicious if they receive this kind of message in their inbox," said Graham Cluley, senior technology consultant for Sophos. "If hackers manage to steal your Gmail username and password then they could not only spy on you and read your past messages, but also potentially commit identity fraud that could lead to serious financial consequences. The good news is that this worm isn't capable of spreading successfully, but future incarnations may pose a greater danger. People need to be more aware of the risks connected to running unsolicited email attachments."

The Gfail worm displays a fake login screen to steal usernames and passwords

The Gfail worm displays a fake login screen to steal usernames and passwords.

According to experts at Sophos, more and more malicious software is being written with the intention of spying on innocent users and stealing information from them for financial gain.

"With people increasingly living their lives online, it's essential that people secure their computers and behave safely when on the internet," continued Cluley. "Hackers who gain access to your web email account may not only be able to send emails in your name, but may also stumble across usernames and passwords for other websites you have registered with, past purchases and credit card information, and even have access to your calendar and diary."

Interestingly, hidden inside the worm's code is the following message from the malware's author which never gets displayed to infected users:

To AVers and the Gmail team - this project isn't and will never be intended to steal any account details from ANYBODY, instead it's just demonstrating an implementation of social-engineering for a software used by thousands or maybe even millions of people around the world with not much work. Thanks. ;)

Although the worm does not appear to spread successfully and cannot be considered a serious threat in its present form, Sophos has been automatically protecting its customers against the W32/Gfail-A worm since 7:40 GMT on 2 November 2006.

Sophos recommends that companies protect their email gateways with a consolidated solution to defend against viruses, spyware and spam, as well as secure their desktop and servers with automatically updated protection.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at