Discovered: April 6, 2004
Updated: February 13, 2007 12:21:03 PM
Also Known As: I-Worm.Gedza [Kaspersky], VBS/Gedza.A [F-Prot]
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows XP
When VBS.Gaggle.D runs, it does the following:
- Creates some of the following copies of itself in the %System% folder:
- File.vbs
- Gedzac.vbs
- Israfel.vbs
- pubprn.vbs
- Kernel32.win
- Mouse_configurator.win
- Winmgd.win
- Backup.vbs
- Template.htm (A .html file containing the worm.)
- Filezip.zip (A .zip archive of the worm.)
Notes:
- %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- The worm may insert some garbage data into the files, so that the size of the files vary.
- Creates the following files in the %System% folder:
- Regsrv.exe (17,409 bytes. Detected as Trojan.KillAV.)
- Sendi.exe (30,721 bytes. A component of the worm.)
- Pkzip.exe (A legitimate program.)
- AvrilLavigne.jpg (12,549 bytes. A .jpg file.)
- C:\Estigma.hta (354 bytes. A harmless .html file.)
- iwn.dat
- iw.dat.
- ixn.dat
- ix.dat
Note: The worm attempts to use the .dat files to infect the Microsoft Word and Excel files.
- Opens an Internet Explorer window and displays the file, %System%\AvrilLavigne.jpg:
- Adds the values:
- "Kernel32"="%System%\Kernel32.win"
- "Israfel"="%System%\Israfel.vbs"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
- Modifies the default value to:
"(Default)"="GEDZAC"
in the registry keys:
- HKEY_CLASSES_ROOT\regfile\shell\open\command
- HKEY_CLASSES_ROOT\keyfile\shell\open\command
- Modifies the value:
"Timeout" = "0"
in the registry keys:
- HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Scripting Host\Settings
- Modifies the value to:
"DisableRegistryTools" = "1"
in the registry keys:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System
- HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\
Policies\System
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Policies\System
- Copies %comshell% to all the hard drives as \inetpub\scripts\israfel.exe.
Note: %comshell% is a variable. The worm locates the default command shell. For example, this can be command.com or cmd.exe.
- Creates an iisroot.asp file in the \inetpub\wwwroot folder and its subfolders. This file is not viral by itself.
- Modifies the following line to the [boot] section of the System.ini file:
shell=Explorer.exe %System%\winmgd.win
so that the worm runs when you start Windows 95/98/Me.
- Modifies the following line to the [windows] section of the Win.ini file:
run=%System%\mouse_configurator.win
so that the worm runs when you start Windows 95/98/Me.
- If date of the system clock is the third day of the month, the .html file, C:\Estigma.hta, will be displayed. This file only contains text.
- If the date of the system clock is the 19th day of the month, a message box with the following text will be displayed:
19/12/2003 - Saludos a Cienciano Campeon 2003 de la Copa Sudamericana
- If the date of the system clock is the 11th day of the month, a message box with the following text will be displayed:
Luego del alevoso ataque de eeuu y sus aliados
contra Iraq, aun tiene bush el descaro de decir
que lo hizo por libertar al pueblo o por la
democracia, como si eso le interesara, solo le
interesa tener gobiernos titeres y el petroleo
(investiguen sobre su dizque reconstruccion
de Iraq), desde los 90 que se pretendia derrocar
al gobierno de Iraq, quien le dio el derecho de decidir que
gobiernos deben ser derrocados o no, acaso
se cree el policia del mundo, una de las frases
favoritas del Asesino de bush, es el 'origen
del mal' el es eso.
Y para terminar otra de sus frases 'que Dios bendiga a los eeuu' ojala lo haga
porque lo van a nesecitar, porque algun
dia eeuu pagara por querer decirle al
mundo como tiene que vivir
(Mensage en contra del Gobierno de eeuu, no del pueblo)"
- If the date of the system clock is the 26th day of the month, a message box with the following text will be displayed:
"Soy una ballena de color azúl mi espalda sopla y tu ves esa fuente
de agua limpia aún. Nuestra casa abierta, era el ancho mar
Viajábamos en paz, sin manchas de petróleo que evitar
Busco un sitio puro donde descansar no hay muchas como yo
me tengo que cuidar de ti. Nubes blancas, cielo transparente
y el humano compartiendo con otros, un sueño que quizás ya no regrese
pues ya es tarde para todos nosotros
Soy el cóndor majestuoso del Perú, mi cuello gira y tú
me miras con ojos de luz. Busco un sitio alto donde recordar
que hubo un tiempo mejor, pues como yo no quedan más
Si tus hijos te preguntan cómo fui, no sé que les dirás, me tuve que alejar de ti
Cordilleras blancas dominando, todo ser que se alimenta del río
hombres en aldeas cultivando, sin decirle al campo dame lo que es mío
Estás equivocado, no sabes dónde vas
guanacos, osos panda, renos, águilas, delfines y todo lo demás
Estás equivocado no sabes dónde vas
un espíritu ronda por la selva llorando lo que fue el jaguar
bienvenido al mundo del hombre construído con detergentes y también con alquitrán
Soy una ballena de color azúl mi espalda sopla y tú
ves esa fuente de agua limpia aún
(Cancion perteneciente a 'Los Nosequien y Los Nosecuantos')
El 26 de Abril es el día de la Tierra, protegela"
- If the date of the system clock is the 29th of the month, the worm will open the Web page, www.arvil-lavigne.com.
- Retrieves the shared folder of SoulSeek by querying the following registry key:
HKEY_CURRENT_USER\Software\SoulSeek\InstallPath
- Copies %System%\Filezip.zip, to the following folders, if the folders exist:
- C:\My Downloads
- C:\My Shared Folder
- C:\Program Files\appleJuice\incoming
- C:\Program Files\BearShare\Shared
- C:\Program Files\eDonkey2000\incoming
- C:\Program Files\Gnucleus\Downloads
- C:\Program Files\Grokster\My Grokster
- C:\Program Files\ICQ\shared files
- C:\Program Files\KaZaA\My Shared Folder
- C:\Program Files\KaZaA Lite\My Shared Folder
- C:\Program Files\KMD\My Shared Folder
- C:\Program Files\LimeWire\Shared
- C:\Program Files\Morpheus\MyShared Folder
- C:\Program Files\Overnet\incoming
- C:\Program Files\Shareaza\Downloads
- C:\Program Files\Swaptor\Download
- C:\Program Files\WinMX\My Shared Folder
- C:\Program Files\Tesla\Files
- C:\Program Files\XoloX\Downloads
- C:\Program Files\Rapigator\Share
- C:\Archivos de programa\appleJuice\incoming
- C:\Archivos de programa\BearShare\Shared
- C:\Archivos de programa\eDonkey2000\incoming
- C:\Archivos de programa\Gnucleus\Downloads
- C:\Archivos de programa\Grokster\My Grokster
- C:\Archivos de programa\ICQ\shared files
- C:\Archivos de programa\KaZaA\My Shared Folder
- C:\Archivos de programa\KaZaA Lite\My Shared Folder
- C:\Archivos de programa\KMD\My Shared Folder
- C:\Archivos de programa\LimeWire\Shared
- C:\Archivos de programa\Morpheus\MyShared Folder
- C:\Archivos de programa\Overnet\incoming
- C:\Archivos de programa\Shareaza\Downloads
- C:\Archivos de programa\Swaptor\Download
- C:\Archivos de programa\WinMX\My Shared Folder
- C:\Archivos de programa\Tesla\Files
- C:\Archivos de programa\XoloX\Downloads
- C:\Archivos de programa\Rapigator\Share
- <The shared folder of SoulSeek>
as the following file names:
- ACDSee 5.5.zip
- AOL Instant Messenger.zip
- AVP Antivirus Pro Key Crack.zip
- Age of Empires 2 crack.zip
- Ana Kournikova Sex Video.zip
- Animated Screen 7.0b.zip
- AquaNox2 Crack.zip
- Audiograbber 2.05.zip
- BabeFest 2003 ScreenSaver 1.5.zip
- Babylon 3.50b reg_crack.zip
- Battlefield1942_bloodpatch.zip
- Battlefield1942_keygen.zip
- Britney Spears Sex Video.zip
- Buffy Vampire Slayer Movie.zip
- Business Card Designer Plus 7.9.zip
- Clone CD 5.0.0.3 (crack).zip
- Clone CD 5.0.0.3.zip
- Coffee Cup Free zip 7.0b.zip
- Cool Edit Pro v2.55.zip
- Crack Passwords Mail.zip
- Credit Card Numbers generator(incl Visa,MasterCard,...).zip
- Cristina Aguilera Sex Video.zip
- DVD Copy Plus v5.0.zip
- DVD Region-Free 2.3.zip
- Diablo 2 Crack.zip
- DirectDVD 5.0.zip
- DirectX Buster (all versions).zip
- DirectX InfoTool.zip
- DivX Video Bundle 6.5.zip
- Download Accelerator Plus 6.1.zip
- Edonkey2000-Speed me up scotty.zip
- FIFA2003 crack.zip
- Final Fantasy VII XP Patch 1.5.zip
- Flash MX crack (trial).zip
- FlashGet 1.5.zip
- FreeRAM XP Pro 1.9.zip
- GTA 3 Crack.zip
- GTA 3 Serial.zip
- Game Cube Real Emulator.zip
- GetRight 5.0a.zip
- Global DiVX Player 3.0.zip
- Gothic2 licence.zip
- Guitar Chords Library 5.5.zip
- Hentai Anime Girls Movie.zip
- Hitman_2_no_cd_crack.zip
- Hot Babes XXX Screen Saver.zip
- HotGirls.zip
- Hotmail Hacker 2003-Xss Exploit.zip
- ICQ Pro 2003a.zip
- ICQ Pro 2003b (new beta).zip
- IrfanView 4.5.zip
- Jenifer Lopez Sex Video.zip
- KaZaA Hack 2.5.0.zip
- KaZaA Speedup 3.6.zip
- Kazaa SDK + Xbit speedUp for 2.xx.zip
- Links 2003 Golf game (crack).zip
- Living Waterfalls 1.3.zip
- MSN Messenger 5.2.zip
- Mafia_crack.zip
- Matrix Movie.zip
- Matrix Screensaver 1.5.zip
- Mcafee Antivirus Scan Crack.zip
- MediaPlayer Update.zip
- Microsoft KeyGenerator-Allmost all microsoft stuff.zip
- NBA2003_crack.zip
- NHL 2003 crack.zip
- Need 4 Speed crack.zip
- Nero Burning ROM crack.zip
- Netbios Nuker 2003.zip
- Netfast 1.8.zip
- Network Cable e ADSL Speed 2.0.5.zip
- Nimo CodecPack (new) 8.0.zip
- Norton Anvirus Key Crack.zip
- PS2 PlayStation Simulator.zip
- PalTalk 5.01b.zip
- Panda Antivirus Titanium Crack.zip
- Pop-Up Stopper 3.5.zip
- Popup Defender 6.5.zip
- Quick Time Key Crack.zip
- QuickTime_Pro_Crack.zip
- Sakura Card Captor Movie.zip
- Screen saver christina aguilera naked.zip
- Screen saver christina aguilera.zip
- Security-2003-Update.zip
- Serials 2003 v.8.0 Full.zip
- Sex Live Simulator.zip
- Sex Passwords.zip
- SmartFTP 2.0.0.zip
- SmartRipper v2.7.zip
- Space Invaders 1978.zip
- Spiderman Movie.zip
- Splinter_Cell_Crack.zip
- Starcraft serial.zip
- Start Wars Trilogy Movies.zip
- Steinberg_WaveLab_5_crack.zip
- Stripping MP3 dancer+crack.zip
- Thalia Sex Video.zip
- Trillian 0.85 (free).zip
- TweakAll 3.8.zip
- UT2003_bloodpatch.zip
- UT2003_keygen.zip
- UT2003_no cd (crack).zip
- UT2003_patch.zip
- Unreal2_bloodpatch.zip
- Unreal2_crack.zip
- VB6.zip
- Virtua Girl (Full).zip
- VirtualSex.zip
- Visual Basic 6.0 Msdn Plugin.zip
- Visual basic 6.zip
- WarCraft_3_crack.zip
- WinOnCD 4 PE_crack.zip
- WinRar 3.xx Password Cracker.zip
- WinZip 9.0b.zip
- WinZipped Visual C++ Tutorial.zip
- Winamp 3.8.zip
- WindowBlinds 4.0.zip
- Windows XP complete + serial.zip
- Windows Xp Exploit.zip
- Winzip KeyGenerator Crack.zip
- XNuker 2003 2.93b.zip
- Yahoo Messenger 6.0.zip
- Zelda Classic 2.00.zip
- aol cracker.zip
- aol password cracker.zip
- cable modem ultility pack.zip
- counter-strike.zip
- delphi.zip
- divx pro.zip
- divx_pro.zip
- hotmail_hack.zip
- iMesh 3.6.zip
- iMesh 3.7b (beta).zip
- mIRC 6.40.zip
- macromedia dreamweaver key generator.zip
- mp3Trim PRO 2.5.zip
- pamela_anderson.zip
- play station emulator.zip
- serials2000.zip
- subseven.zip
- virtua girl - adriana.zip
- virtua girl - bailey short skirt.zip
- warcraft 3 crack.zip
- warcraft 3 serials.zip
- winamp plugin pack.zip
- winzip full version key generator.zip
- Creates the following files in the %Temp% folder:
- imh.dat
- iml.dat
- imv.dat
Note:
- %Temp% is a variable. The worm locates the temporary folder and copies itself to that location. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
- These files are not viral by themselves. The worm retrieves the email addresses from the Microsoft Outlook Address Book and from the files with .hta, .htm, .html, .php, .shtm, .shtml, .phtm, .phtml, .mht, .mhtml, .plg, or .htx extensions. Then, it saves the email addresses to these files.
- Overwrites .vbs, .vbe, .js, .jse, .hta, .htm, .html, .php, .shtm, .shtml, .phtm, .phtml, .mht, .mhtml, .plg, and .htx files with itself.
- Overwrites the Mirc.ini file. The worm attempts to send a copy of itself to other IRC users who connect to the same channel as the infected computer.
- Generates random IP addresses and attempts to connect to the IP addresses using the following user names and passwords:
- <blank>
- <CR/LF>
- <ComputerName>
- <UserName>
- name
- %null%
- %username%
- %username%12
- %username%123
- %username%1234
- 123
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 654321
- 54321
- 1
- 111
- 11111
- 111111
- 11111111
- 000000
- 00000000
- 22
- 5201314
- 88888888
- 888888
- passwd
- password
- sql
- database
- admin
- test
- server
- computer
- secret
- oracle
- sybase
- root
- Internet
- super
- user
- manager
- security
- public
- private
- default
- 1234qwer
- 123qwe
- abcd
- abc123
- 123abc
- abc
- 123asd
- asdf
- asdfgh
- KKKKKKK
- !@#$
- !@#$%
- !@#$%^
- !@#$%^&
- !@#$%^&*
- !@#$%^&*(
- !@#$%^&*()
- intel
- Copies itself to the remote machine as autorun.vbs. Then, it overwrites the autoexec.bat file with the line:
@win \autoexec.vbs
- Adds the line:
run=autorun.vbs
to the [windows] section of the file, Win.ini, on the remote computer.
- Overwrites all .vbs files on the A: drive with itself. If it does not find any .vbs file on the A: drive, it will copy itself as one of the following:
- A:\Israfel.vbs
- A:\Document.txt.vbs
- A:\Image.jpg.vbs
- A:\Loreley.jpg.vbs
- A:\Vigilancia.txt.vbs
- Uses its email component, sendi.exe, to send itself to all the email addresses that it finds.
The worm uses the current user's SMTP server or one of the following servers to spread itself:
mx1.latinmail.com
mx1.hotmail.com
The email has the following characteristics:
From: The sender's name is randomly selected from a list that the worm carries.
Attachment: Filezip.zip
Subject: Subject line is randomly selected from the list that the worm carries.
Message: The message body is randomly selected from the list that the worm carries. It may begin with one of the following texts:
=============================Mcaffe Virus Scan=============================
Resultado del Anßlisis: Mensaje y Adjunto libre de virus
===========================================================================
=============================Mcaffe Virus Scan=============================
Result gives the Analysis: Message and Added free he gives virus
===========================================================================
For example, the subject and the message can be one of the following:
Subject: Postal Animada
Message:
Ha recibido una postal desde esta direccion
para verla descarguela antes de 7 dias de recibido este e-mail
Un Servicio de FreeCards
Subject: Cartoons
Message:
Nuestra pagina de Cartoons viene recargada
mira este que se titula: El inofensivo pajarito
Subject: Free ScreenSaver
Message: Mira este screensaver, y si te gusta, visita nuestra page :)
Subject: FordWare
Message: Sabes lo que es el FordWare?, entonces mira este
Subject: Espero te guste
Message: Mira la postal =)
Subject: Esta es buena
Message: Haber que te parece a ti?
Subject: Aviso Importante
Message:
Debido a la nueva politica del servidor, se pide a los usuarios
completar el nuevo registro a fin de poder conservar sus cuentas de correo
Subject: Sexo Tantrico
Message:
Conoces el sexo tantrico?
Tantra: Antigua disciplina oriental para mejorar el rendimiento sexual
Aprendelo y nota la diferencia.
Subject: Significado de los nombres
Message: Quieres saber el significao de tu nombre, o apellido o de donde proviene?
Subject: Manual Seduccion
Message: Quieres conquistar una pareja?, prueba con estos consejos
Subject: ilusiones
Message: Mira la foto adjunta 20 segundos y veras algo
Subject: Hi
Message: Te envio las imagenes que pediste, bye
Subject: Help me
Message: please open file
Subject: Mail Return System
Message: El correo no pudo ser enviado a uno o mßs destinatarios.
Subject: Fotos en tu email
Message: XXX Todo Vale XXX
- Sends email to the attacker. The email may contain the stolen information and an email addresses that the worm finds on an infected computer.
- Creates the following registry keys:
HKEY_LOCAL_MACHINE\Software\GEDZAC LABS\Israfel\Parent
HKEY_LOCAL_MACHINE\Software\GEDZAC LABS\VBS.Israfel\Info
Writeup By: Fergal Ladley, Yana Liu
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
