Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 21 Feb 2008
Damage: Medium

Characteristics: W32.Gampxia is a virus that targets all removable media drives and shared folders using autorun.inf file. It automatically creates copies of itself when it is going to infect a computer. It automatically starts itself when the media is accessed. It can spread and damage all document files it has found on the compromised computer. It affects all Windows Operating System. It doesn't only infect the compromised computer, it also infects the network systems connected on that computer and or laptop.

More details about W32.Gampxia

This worm attacks and contaminates HTML files, which are known as “W32.Gampxia!html.” Another capability that may lessen the security of your files is that it downloads copies of Infostealer.Gampass, Hacktool, and WinPcap. These are considered as a library used to monitor and capture network packets in Windows environments, onto the compromised computer. Once executed, the first priority of this virus is to produce several copies of itself into windows temporary folder, removable drives as well as in the My documents folder settings using the file named as “svchost.exe.” When the svchost is present, it consequently creates infected files, such as “cs.txt,” Url.txt,” winpcap.exe” and “arp.exe.” It also runs through autorun.inf. This file is used in order for it to spread by infecting removable storage drives. Thus, this virus will automatically run itself on the compromised computer every time the window starts.

System files are also being modified; thus, replacing any system copy of itself, named as, “taskmgr.exe.” Other recognizable symptom is that it changes the system time to December 1, 1989, in an attempt to prevent certain Kaspersky antivirus products from scanning. This worm also steals private or confidential files or data from the compromised computer. It can also be destructive, having the ability to also download malware on a compromised computer. A network connection named as “[http://]www.balbv.cn/xz/12387617/log[REMOVED]” is also executed by this virus. It can also remotely download an infected file and drop it in the compromised computer. If the virus is successful, it will then attempt to spread through network shares by copying itself as the following files, “Setup.exe” and “AutoExec.bat.” The virus connects and shares information from an unknown remote attacker and certain bits of data are compromised by an unauthorized sharing of antivirus application running on the compromised computer. File deletion and its extension is another destructive characteristic of file which may cause your computer to be inoperable or even crash. It deletes files that end with “.gho” normally found in D:, E: and F: drives. While successfully connecting with D:, E: and F: drives, it continuously and automatically contaminates files that end with “.jsp,”.html,”.htm,”.aspx,”.asp” and “.php.” Certain applications as well as antivirus program are terminated. These are “NOD32,”Rising,”Jiangmin,”Kaspersky,”Kingsoft,” “360tray.exe” and “360safe.exe.”