VBS/Gaggle-A

Discussion in 'malware problems & news' started by FanJ, Sep 9, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: VBS/Gaggle-A
    Type: Visual Basic Script worm
    Date: 9 September 2002


    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    Description
    VBS/Gaggle-A arrives in an email with one of the following subject line
    message text combinations:

    Subject line: Articulo
    Message text: Te envio este articulo que encontre en internet, es
    interesante y tal vez te sirva, he estado un poco ocupado, luego te
    cuento.
    Adios

    Subject line: Efectos en web
    Message text: Oola, te envio esta pagina, tiene unos muy buenos efectos,
    a mi me sorprendio Te escribo luego, hay una cos a que quiero contarte.
    Adios

    Subject line: Revista virtual
    Message text: Hola, te envio el prospecto de suscripcion de una buena
    revist a virtual, la revista llega a tu email y se puede leer como pagina
    webla pagina de suscripcion es interactiva, mirala a ver que te parece.
    Adios

    Subject line: Correo Seguro
    Message text: Estaba navegando en internet, y en una pagina vi un anuncio
    de una empresa de antivirus que revisaba si habia virus en el buzon de correo del servidor antes de que llege a tu computadora, la ventaja es que a
    diferencia de los antivirus caseros que no detectan virus nuevos ellos
    si los detectan ya que su base de datos esta actualizada a cada instante,
    hay mas detalles en la pagina que te envio, leela a ver que te parece,
    el servicio es gratis
    Adios y hasta pronto

    Subject line: Descargas gratis
    Message text: Hola, encontre una pagina en la que se puede descargar
    gran variedad de cosas, como musica, programas y libros; la descarga
    es gratis claro que hay que aguantar un poco de publicidad
    pero es buena pagina. Te envio una parte de la pagina que descargue
    para que veas, a tiene efectos y hay que aceptar el cuadro que da,
    sino no carga.
    Luego te escribo, Adios

    Attached file: AngeldelMar.html

    The attached file is an HTML file containing a VBScript component. When
    the HTML file is opened the script component is executed and will drop
    the VBS file C:\Windows\System\Gaghiel.vbs, also detected as VBS/Gaggle-A.

    The following registry entries will be created, ensuring that the VBS file
    is run when Windows starts up:

    HKLM\Software\Microsoft\Windows\Current Version\Run = "Gaghiel"
    HKLM\Software\Microsoft\Windows\Current Version\Run Domain Manager = "Gaghiel"

    When run the VBS file will first check if the current day of the month is greater then twenty five in which case the Internet Explorer start page
    will be changed to:

    link deleted by FanJ

    via the registry entry

    HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

    The worm will also calculate the sum of the day of the month and the month
    of the year and display a message box if this sum is equal to thirty.
    The message box will display the following Spanish text:

    "Oracion antes de entraral internet:
    Satelite nuestro que estas en el cielo,
    Acelerado sea tu link,
    Venga a nosotros tu hipertexto,
    Hagase tu conexion en lo real comoen lo virtual,
    Danos hoy el download de cada dia,
    Perdona el cafe en el Teclado,
    Asi como nosotros perdonamos a nuestros proveedores,
    No nos dejes caer la conexion,
    Y libranos de todo Virus,
    En nombre del Server, del Modem y del santo User-name.
    Log-in."

    The worm creates the infected files
    C:\Windows\Gaghiel.vbs and C:\Windows\System\AngeldelMar.htm.

    The worm searches all folders on fixed and remote drives for files
    with the following extensions: HTML, HTM, HTA, PHP, ASP, SHTML, SHTM, PHTML, PHTM, and SFC.

    For each file found the word "Gaghiel" will be prepended to that file and the HTML VBScript component will be appended to the file. Any VBS or VBE files found on fixed or remote drives will be overwritten by the worm.

    The Microsoft Outlook Express settings will be adjusted so that email is
    sent in HTML format using the infected file C:\Windows\Gaghiel.html as the
    stationary template. These changes will be made via the following three
    entries:

    Message Sen HTML, Compose Use Stationary and Stationary Name

    in the registry key

    HKCU\Identities\<Default User ID>\Software\Microsoft\
    Outlook Express\5.0\Mail.

    The emailing component of VBS/Gaggle-A will send emails with the
    characteristics described above to all contacts in the infected user's
    Outlook address book.

    The files regedit.exe, regedb32.exe, msconfig.exe and all files in the
    folder C:\Windows\Recent will be deleted.




    More information about VBS/Gaggle-A can be found at
    http://www.sophos.com/virusinfo/analyses/vbsgagglea.html
     
Thread Status:
Not open for further replies.