Virus Messenger - The Gaut.A worm is spread by involving chat programs
Google Talk and Yahoo! Messenger users are threatened by the Gaut.A worm.
A Gaut.A worm saved a configuration file from a remote server. Based on this, you can send messages and make further changes to the registration database. You will also be able to download your own updates. The worm is removable and, in addition to network drives, Google Talk and Yahoo! It also tries to spread through Messenger.
Technical details:
- Create the following files:
% SystemDrive% \ autorun.ini
% SystemDrive% \ chrome.exe
% Windows% \ chrome.exe
C: \ WINDOWS \ Tasks \ At1.job - Creates the following entries in the registration database:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \
“Yahoo Messenger” = “C:\WINDOWS\system32\chrome.exe” - Modify the following registry key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \
CurrentVersion\Winlogon”Shell” = “Explorer.exe chrome.exe” - Adds the following values to the registration database:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Explorer\WorkgroupCrawler\Shares”shared” = “\New Folder.exe”
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Policies\Explorer”NofolderOptions” = “1”
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Policies\System”DisableTaskMgr” = “1”
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Policies\System”DisableRegistryTools” = “1” - Modifies the following registry values:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Main \
“Default_Page_URL” = “[…]”
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Main \
“Default_Search_URL” = “[…]”
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Main \
“Search Page” = “[…]”
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Main \
“Start Page” =[…]
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ Main \
“Start Page” = “[…]”
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Schedule \
“NextAtJobId” = “2” - It downloads a configuration file from a remote server and saves it
As% SystemDrive% \ setting.ini. - Creates a New Folder.exe and an autorun.inf file in the root directory of each drive.
- Copies a disk.txt file to the root directory of drive C: \.
- Copies a file named New Folder.exe to shared directories.
- Stops the game_y.exe process, if it exists.
- Closes any window that has one of the following terms in its title bar:
Bkav2006
System Configuration
registry
windows task
[FireLion]
cmd.exe - Checks if Google Talk or Yahoo! Messenger. If so, it sends messages with malicious links to the names in the address lists.
