Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 27 Mar 2006
Damage: Low

Characteristics: W32.Gammiy is a virus that continuously browses for network shares and infects executable files. All platforms of windows are vulnerable to this virus, may it be Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP. It mostly attacks and contaminates executable files located in shared folders. Once executed, it creates files named as “smss.exe,”DBST32NT.LOG”and “dbst32nt.log.” The virus also drops a host file with “.dll” extension. These are created in the widows directory folders. It automatically executes extension if the virus has the original host file. Like other virus or worms, it also alters registry keys so that the virus is opened or executed every time the system or windows starts. The virus can also be opened through execution of an infected text file.

More details about W32.Gammiy

It also produces random IP addresses and consequently infects all executable files located in shared folders of computers with these addresses. It also creates its own log file that checks and monitors the entire virus’ processes and infection routines. It is found in the “C” drive and named as, “C:\dntboot.bin.” As such, this backdoor capability can steal private or confidential files or data from the compromised computer. It can also be destructive, having the ability to also download malware on a compromised computer. It also attempts to download a file from “http://gsm8000.27h.com/sm.exe.” Currently, the downloaded file is a minor variant of Backdoor.Graybird; thus producing several effects such as allowing remote user connection, logging key strokes, connecting itself automatically to the internet, concealing from the user while staying resident in the background.

This program can remotely influence a targeted computer. Reports claim that it opens a predetermined port through which it transmits all pirated data. Once inside the system, a DNS server is contacted by the W32.Gammiy program on various locations. Allegedly, it is through this DNS server wherein computer information such as IP addresses and login details are sent to a hacker. The sent data are then used by the hacker to gain access to the computer. Once the hacker had gained access over the computer, the hacker can now use the computer as if the computer is just before the intruder.