W32.Gubed.int


Aliases: WORM_GUBED.A, W32.Gubed@mm, Worm/Mars
Variants: W32/Gubed.A, I-Worm.Magistr.a, W32/Disemboweler, I-Worm.Mars

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 21 Jun 2002
Damage: Low

Characteristics: The W32.Gubed.int is a type of mass mailing malware which spreads its codes to other vulnerable computer systems by sending email messages. The email messages are normally sent to the email addresses which the Worm harvests from a currently infected machine. The subject line contains the text "Congratulations for your site" and has an executable attachment. The mass mailing functionality of the Worm is attributed to the script file it drops into the infected machine.

More details about W32.Gubed.int

The entry of the W32.Gubed.int into the compromised machine is marked by the presence of five copies of its files in the operating system folders of the hard drive. It also places a VBS format file into the startup group folder with the intention of overwriting all files with the VBS file extension in the My Documents folder including those found in its subfolders. The W32.Gubed.int will also scan the contents of HTM, HTML, and ASP format files to harvest additional email addresses that it can use to spread its codes. It tricks the recipient into believing that the file attachment is a type of website design utility. The W32.Gubed.int uses a script file to send a second email message to the same recipients.

The second email sent by the W32.Gubed.int malware usually contains the VBS format file and uses the subject line "Important Email for". When the unsuspecting user launches the file attachment the W32.Gubed.int will drop another executable file into a subfolder where the operating system is stored. An associated key value in the Windows Registry will be placed to make sure that it will be launched automatically at every restart instance of the infected machine. The names of the executable files infected by the W32.Gubed.int are usually modified. The text string "_vpe" is usually appended to the filename.