1. /
  2. Security Response/
  3. W32.Galil@mm

W32.Galil@mm

Risk Level 2: Low

Discovered:
December 4, 2002
Updated:
February 13, 2007 11:48:34 AM
Also Known As:
W32.Holar.C@mm, W32/Holar.c@MM [McAfee], W32/Lagel.A [Panda], Win32.Holar.C [CA], WORM_HOLAR.C [Trend], I-Worm.Galil [KAV]
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

W32.Galil@mm is a mass-mailing worm. After sleeping about 15 minutes, it may overwrite all files in all folders on all writeable drives with 215 bytes of text. It deletes all files on drives D, E, F, and G. It is written in the Microsoft Visual Basic (VB) programming language and compressed with UPX. The size is 80,626 bytes after it is unpacked.

The worm uses its own SMTP engine or Microsoft Outlook to send itself to all addresses that it finds in files on the infected computer. Multiple copies of the worm can be attached to the outgoing email message. The message has the following characteristics:

Subject: Fwd: Crazy illegal sex !
Message:
Note: forwarded message attached.

The message is disguised as having been forwarded from a Yahoo account. Following the fake Yahoo forwarded headers, the message continues with the following text:

Hii

Is it really illegal in da USA?
who knows :P
if u have a weak heart i warn u
DON'T see dis Clip.
Emagine two young children havin
crazy sex fo da first time togetha !
loooool i'm still wonderin where thier
parents were?

Good ?uck , oh sorry:">
i mean Good Luck :)

Bye

Attachment: iLLeGal.exe

NOTE: Definitions dated prior to December 6, 2002, may detect this threat as W32.Holar.C@mm.

Antivirus Protection Dates

  • Initial Rapid Release version December 5, 2002
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version December 5, 2002
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date December 6, 2002
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: High

Distribution

  • Distribution Level: High
Writeup By: Yana Liu

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver