Win32.Gaze, MSIL/[email protected]
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
31 Oct 2002
Characteristics: [email protected]
is part of the growing family of mass-mailing worms which uses emails to collect files of the compromised computer. The worm automatically sends itself to the email addresses it gathers from the files on an infected computer. Mostly, it gets all the contacts from the Microsoft Outlook Address Book. You may see an attachment containing.exe, .scr, or .zip file extension. It also alters local hosts file to prevent access to various websites.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
The worm creates the file C:\winnt\System32\Mail.vbs which is responsible for performing the mass-mailing process. It needs a “ .NET” framework be installed first in order to propagate and infect the computer. All platforms of windows are vulnerable to this worm, may it be Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP. The email message sent out by this worm includes the following characteristic: “Subject: faze, “Message Body: How are you today?” and “Attachment: Game.exe.” The said “game.exe” process is reported to be an infector. It can contaminate computer, replicate, modify and distribute itself to another computer. This can happen without the approval or knowledge of user. When virus is executed, it may cause damage to data stored in computer, it can change the Operating System settings, change performance of computer, and it can modify networks settings and slowdown network connections.
Reportedly, the [email protected]
worm's primary purpose is to create another access point to the infected machine. This is called a backdoor. Compared with the common access point, a backdoor does not require any authentication or security procedures before allowing a user to access a computer. Due to this capability, some specialists suspect that the [email protected]
worm can also be a remote administration tool or RAT. The virus may possibly have a server, client, and editor. The server is installed in the remote attacker’s computer and is used in sending commands to the infected computer. The client is installed in the compromised machine and is responsible in receiving these commands. The editor, on the other hand, is a tool that allows the hacker to determine the features of the [email protected]