Aliases: Gabloliz.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 25 Apr 2005
Damage: Low

Characteristics: W32.Gabloliz.A is a worm that spreads through AOL Instant Messenger. It is also described as a worm that has backdoor capabilities. It uses Kazaa file-sharing networks to propagate. Users using peer-to-peer sharing programs are prone to this worm. It is believed that there are still a lot of bugs in the program. Once executed, it modifies system registries so that it runs when windows starts. The worm cannot continuously be successful in copying itself.

More details about W32.Gabloliz.A

All platforms of windows are vulnerable to this worm, may it be Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP. Once executed, it creates files and mutexes in the windows directory folders named as, “winvxd32.exe” and "i1s1w3t4t1t4e7b4p1rxteioanbvh" in order to maintain only one instance of the worm running on the computer. It then connects to an IRC server on the zerofuzion.net domain and waits for commands from a remote attacker. As such, it has the possibility to steal private or confidential files or data from the compromised computer. The remote attacker can also steal clipboard data, system and network information as well as logging keystroke. These are signs through which a remote computer has the ability to record and monitor the processes of the compromised computer’s system. Reports also say that this worm may also remotely terminate processes, change Internet Explorer's homepage, reboot the computer, continuously delete files, remotely download files from the Internet and automatically open them, upload files to an FTP server which consequently sends a copy of the worm to all AOL Instant Messenger contacts. It also has self duplication characteristics. It copies itself as a random name to the Kazaa Download directory and creates an HTTP server with a random TCP port. This port sends spam to download the worm from the HTTP server.

For some instance the W32.Gabloliz.A program can be more dynamic, if it has entered a lot of sensitive program points. The infectious program can be contained with plain text with unusual contents. The invasion of system line process can result with serious matters like automatic shutdown, very slow program action, and internal file destruction. The malware’s system damage can be measured with the time inhabitation intervals, the more the program stays the more the break in is achieved. Some security experts says that when the access is done by the involved hackers, the damage takes place by planting a single malicious file on a target program that contains the entire system. By the time that the internal dumping is done the program now upholds the corrupt and unreliable sequence of functions.