PDA

View Full Version : SUBJECT: W32.Galil.C@mm



robert
02-10-03, 11:27 AM
RISK FACTOR: 2

RISK FACTOR EXPLANATION: This worm can potentially cause a greater
impact to personal computers/network more than corporate networks.

IMPACT: Mass-mailer; sends itself to addresses found in Outlook address
book and MSN messenger list. Gathers network and other sensitive
information and sends it using its own SMTP engine. Disables mouse and
keyboard.

SUMMARY: W32.Galil.C@mm is a mass mailing worm developed in Visual
Basic (VB) and compressed using Ultimate Packer for eXecutables (UPX).
This worm transmits itself to the email addresses found in files with
.htm, .html, .eml, and .txt extensions, and the contacts in the
Microsoft Outlook Address Book and MSN messenger contact list. Also,
this worm attempts to distribute itself through the KaZaA file-sharing
network.

PLATFORMS AFFECTED: Workstations,Personal Computers

Hardware:

Operating Systems: Windows NT,Windows 9x,Windows 2000,Windows Millenium
Edition,Windows XP,Windows Server 2003

Applications:

BACKGROUND: 1.Disables the mouse and keyboard after the HKEY_CURRENT_USER
registry
key value reaches 30, when Explore.exe executes.

2.Searches for files with extensions .doc, .jpg, .mdb, .pps, .ram, .xls,
or .zip, and then copies the worm to the kaZaA download folder.

3.Retrieves email addresses of current users.

4.Retrieves default SMTP server IP addresses.

5.Retrieves email addresses with file extensions .htm, .html, and .txt.

6.Retrieves email addresses from the Outlook address book and MSN
instant messenger list.

7.Forwards the worm to the gathered email addresses using the SMTP.ocx.

8.Transmits network information and email addresses to predefined email
address.

For additional information on the W32.Galil.C@mm word, reference the
http://securityresponse.symantec.com/avcenter/venc/data/w32.galil.c@mm.html

RECOMMENDATIONS: Administrators are advised to restrict peer-to-peer
(P2P) services. If kaZaa or other P2P services are necessary, consider
http://www.kazaa.com/us/picks/bullguard_lite.htm)
a P2P virus protection product for kaZaa Media Desktop. Routinely check
http://www.kazaa.com/us/help/known_virus.htm for latest listing of known viruses and recommendation.

Routinely check the following Windows registry key settings for:
1. The value 'a' in the HKEY_LOCAL_MACHINESoftwwareMicrosoftWindows
registry.

2. The value 'DeathTime' in the HKEY_CURRENT_USER registry key.

VENDOR-SUPPLIED INFORMATION: None