Aliases: Win32.Gaze, MSIL/Gaze@MM, I-Worm.Gaze
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 31 Oct 2002
Damage: Low

Characteristics: W32.Gaze@mm is part of the growing family of mass-mailing worms which uses emails to collect files of the compromised computer. The worm automatically sends itself to the email addresses it gathers from the files on an infected computer. Mostly, it gets all the contacts from the Microsoft Outlook Address Book. You may see an attachment containing.exe, .scr, or .zip file extension. It also alters local hosts file to prevent access to various websites.

More details about W32.Gaze@mm

The worm creates the file C:\winnt\System32\Mail.vbs which is responsible for performing the mass-mailing process. It needs a “ .NET” framework be installed first in order to propagate and infect the computer. All platforms of windows are vulnerable to this worm, may it be Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP. The email message sent out by this worm includes the following characteristic: “Subject: faze, “Message Body: How are you today?” and “Attachment: Game.exe.” The said “game.exe” process is reported to be an infector. It can contaminate computer, replicate, modify and distribute itself to another computer. This can happen without the approval or knowledge of user. When virus is executed, it may cause damage to data stored in computer, it can change the Operating System settings, change performance of computer, and it can modify networks settings and slowdown network connections.

Reportedly, the W32.Gaze@mm worm's primary purpose is to create another access point to the infected machine. This is called a backdoor. Compared with the common access point, a backdoor does not require any authentication or security procedures before allowing a user to access a computer. Due to this capability, some specialists suspect that the W32.Gaze@mm worm can also be a remote administration tool or RAT. The virus may possibly have a server, client, and editor. The server is installed in the remote attacker’s computer and is used in sending commands to the infected computer. The client is installed in the compromised machine and is responsible in receiving these commands. The editor, on the other hand, is a tool that allows the hacker to determine the features of the W32.Gaze@mm worm.