ViRobot

Security Info

  • Security Center
  • Security Dictionary
  • Security Service

Threats DB

VBS.Gedza.A

Aliases  VBS/Gedza [MacAfee], VBS_GEDZA.A [Trend]
Typical Symptoms  Changes registry,Displays a popup windows,Process shuts down
Discovered  [korea] 0000-00-00
 [Foreign] 2004-04-13
Type  Worm ActiveField  VBS
Destory/Distribution
Origin  others Encryption  NO
Location  Script Memory residence  NO
Scan engine needed
2004-04-19 [Able to detect & repair]
  • Free scan
  • Free trial download
Description


[Summary]

This worm was found on April 13, 2004.
This worm spreads via P2P program and it pops up message on specified day or tries to link AVIRL (singer) homepage.

[How it spreads]

It copies itself in shared folder of P2P program and spreads itself.

- Ana Kournikova Sex Video.zip  
- AVP Antivirus Pro Key Crack.zip  
- Britney Spears Sex Video.zip  
- Buffy Vampire Slayer Movie.zip  
- Crack Passwords Mail.zip  
- Cristina Aguilera Sex Video.zip  
- Game Cube Real Emulator.zip  
- Hentai Anime Girls Movie.zip  
- Jenifer Lopez Sex Video.zip  
- Matrix Movie.zip  
- Mcafee Antivirus Scan Crack.zip  
- Norton Anvirus Key Crack.zip  
- Panda Antivirus Titanium Crack.zip  
- PS2 PlayStation Simulator.zip  
- Quick Time Key Crack.zip  
- Sakura Card Captor Movie.zip  
- Sex Live Simulator.zip  
- Sex Passwords.zip  
- Spiderman Movie.zip  
- Start Wars Trilogy Movies.zip  
- Thalia Sex Video.zip  
- Winzip KeyGenerator Crack.zip  
- aol cracker.zip  
- aol password cracker.zip  
- divx pro.zip  
- GTA 3 Crack.zip  
- GTA 3 Serial.zip  
- play station emulator.zip  
- virtua girl - adriana.zip  
- virtua girl - bailey short skirt.zip  
- Virtua Girl (Full).zip  
- warcraft 3 crack.zip  
- warcraft 3 serials.zip  
- counter-strike.zip  
- delphi.zip  
- divx_pro.zip  
- HotGirls.zip  
- hotmail_hack.zip  
- pamela_anderson.zip  
- serials2000.zip  
- subseven.zip  
- VB6.zip  
- VirtualSex.zip  
- ACDSee 5.5.zip  
- Age of Empires 2 crack.zip  
- Animated Screen 7.0b.zip  
- AOL Instant Messenger.zip  
- AquaNox2 Crack.zip  
- Audiograbber 2.05.zip  
- BabeFest 2003 ScreenSaver 1.5.zip  
- Babylon 3.50b reg_crack.zip  
- Battlefield1942_bloodpatch.zip  
- Battlefield1942_keygen.zip  
- Business Card Designer Plus 7.9.zip  
- Clone CD 5.0.0.3 (crack).zip  
- Clone CD 5.0.0.3.zip  
- Coffee Cup Free zip 7.0b.zip  
- Cool Edit Pro v2.55.zip  
- Diablo 2 Crack.zip  
- DirectDVD 5.0.zip  
- DirectX Buster (all versions).zip
- DirectX InfoTool.zip  
- DivX Video Bundle 6.5.zip  
- Download Accelerator Plus 6.1.zip  
- DVD Copy Plus v5.0.zip  
- DVD Region-Free 2.3.zip  
- FIFA2003 crack.zip  
- Final Fantasy VII XP Patch 1.5.zip  
- Flash MX crack (trial).zip  
- FlashGet 1.5.zip  
- FreeRAM XP Pro 1.9.zip  
- GetRight 5.0a.zip  
- Global DiVX Player 3.0.zip  
- Gothic2 licence.zip  
- Guitar Chords Library 5.5.zip  
- Hitman_2_no_cd_crack.zip  
- Hot Babes XXX Screen Saver.zip  
- ICQ Pro 2003a.zip  
- ICQ Pro 2003b (new beta).zip  
- iMesh 3.6.zip  
- iMesh 3.7b (beta).zip  
- IrfanView 4.5.zip  
- KaZaA Hack 2.5.0.zip  
- KaZaA Speedup 3.6.zip  
- Links 2003 Golf game (crack).zip  
- Living Waterfalls 1.3.zip  
- Mafia_crack.zip  
- Matrix Screensaver 1.5.zip  
- MediaPlayer Update.zip  
- mIRC 6.40.zip  
- mp3Trim PRO 2.5.zip  
- MSN Messenger 5.2.zip  
- NBA2003_crack.zip  
- Need 4 Speed crack.zip  
- Nero Burning ROM crack.zip  
- Netfast 1.8.zip  
- Network Cable e ADSL Speed 2.0.5.zip  
- NHL 2003 crack.zip  
- Nimo CodecPack (new) 8.0.zip  
- PalTalk 5.01b.zip  
- Popup Defender 6.5.zip  
- Pop-Up Stopper 3.5.zip  
- QuickTime_Pro_Crack.zip  
- Serials 2003 v.8.0 Full.zip  
- SmartFTP 2.0.0.zip  
- SmartRipper v2.7.zip  
- Space Invaders 1978.zip  
- Splinter_Cell_Crack.zip  
- Steinberg_WaveLab_5_crack.zip  
- Trillian 0.85 (free).zip  
- TweakAll 3.8.zip  
- Unreal2_bloodpatch.zip  
- Unreal2_crack.zip  
- UT2003_bloodpatch.zip  
- UT2003_keygen.zip  
- UT2003_no cd (crack).zip  
- UT2003_patch.zip  
- WarCraft_3_crack.zip  
- Winamp 3.8.zip  
- WindowBlinds 4.0.zip  
- WinOnCD 4 PE_crack.zip  
- WinZip 9.0b.zip  
- Yahoo Messenger 6.0.zip  
- Zelda Classic 2.00.zip  
- Windows XP complete + serial.zip  
- Screen saver christina aguilera.zip  
- Screen saver christina aguilera naked.zip  
- Visual basic 6.zip  
- Starcraft serial.zip  
- Credit Card Numbers generator(incl Visa,MasterCard,...).zip  
- Edonkey2000-Speed me up scotty.zip  
- Hotmail Hacker 2003-Xss Exploit.zip  
- Kazaa SDK + Xbit speedUp for 2.xx.zip  _
- Microsoft KeyGenerator-Allmost all microsoft stuff.zip  
- Netbios Nuker 2003.zip  
- Security-2003-Update.zip  
- Stripping MP3 dancer+crack.zip  
- Visual Basic 6.0 Msdn Plugin.zip  
- Windows Xp Exploit.zip  
- WinRar 3.xx Password Cracker.zip  
- WinZipped Visual C++ Tutorial.zip  
- XNuker 2003 2.93b.zip  
- cable modem ultility pack.zip  
- macromedia dreamweaver key generator.zip
- winamp plugin pack.zip  
- winzip full version key generator.zip-

[Infection symptoms]

1. When html file infected by worm is executed, Worning message box that asks you to execute ActiveX control pops up. If you choose "Yes", the following picture is printed.





2. The following files are created in window system folder.

- hta.vbs, Kernel32.win, lsrafel.vbs, GEDZAC.vbs, mouse_configurator.win, winmgd.win, File.vbs, pubprn.vbs (File size: 272,349 bytes)
- sendi.exe  (file size : 30,721 bytes, worm file)
- pkzip.exe  (file size : 42,167 bytes, compression size)
- regsrv.exe (file size : 42,167 bytes, the program that closes specified execution process and deletes exe file.)
- AvrilLavigne.jpg (file size : 12,549 bytes, picture file)  
- FILEZIP.ZIP      (ZIP file that has File.vbs file.)
- iwn.dat
- iw.dat.
- ixn.dat
- ix.dat

3. It creates Estigma.hta (file size : 354 bytes) in Drive C.

4. It is registered in the registry to be auto-executed when thw window reboots.

- HKEY_LOCAL_MACHINE
    Software
     Microsoft
       Windows
         CurrentVersion
           Run

- Name : Kernel32
- Data : (Window system folder)Kernel32.win

- Name : Israfel
- Data : (Window system folder)Israfel.vbs

5. It modifies registry as the following.

- HKEY_CLASSES_ROOT
    regfile
      shell
        open
          command

- HKEY_CLASSES_ROOT
    keyfile
      shell
        open
          command

- Name : (basic value)
- Data : GEDZAC

- HKEY_CURRENT_USER
    Software
      Microsoft
        Windows
          CurrentVersion
             Policies
                System

- HKEY_CURRENT_USER
    Software
       Microsoft
         WindowsNT
           CurrentVersion
              Policies
                 System

- HKEY_LOCAL_MACHINE
    Software
      Microsoft
        Windows
          CurrentVersion
             Policies
                System

- Name : DisableRegistryTools
- Data : 1

6. When the system dates are as below, specified action is activated.

-  3rd C:Estigma.hta is executed.





- 11th : Print the dial log box that has specified message





- 19th : Print the dial log box that has specified message





- 26th : Print the dial log box that has specified message





- Day 29  link to Avril(singer)'s homepage (http://www.avril-lavigne.com)



Removal Instructions
[Repair by using ViRobot]

1. Update ViRobot and check the version (the version should be 2004-04-19.02 or above).

2. Detect/remove the virus with ViRobot.

[Manual repair]

1. First of all, reboot to safe mode. (You can reboot to safe mode by pressing F8.)

2. Release "Hide file extentions for known file types" with using window monitoring.

-  Example: [Tool(T)] -> [Folder Option(O)] -> [View] -> Release "Hide file extentions for known file types"

3. Open administrator and close "wscript.exe", "regsrv.exe", "sendi.exe" process.

- Example of administrator execution: press "CTRL+ALT+DELETE" in window 95/98/ME system, and press "CTRL+SHIFT+ESC" in window NT/2000/XP system.

4. Find the following files and delete them.

- hta.vbs, Kernel32.win, lsrafel.vbs, GEDZAC.vbs, mouse_configurator.win, winmgd.win, File.vbs, pubprn.vbs (File size: 272,349 bytes)
- sendi.exe  (file size : 30,721 bytes)
- pkzip.exe  (file size : 42,167 bytes)
- regsrv.exe (file size : 42,167 bytes)
- AvrilLavigne.jpg (file size : 12,549 bytes)  
- FILEZIP.ZIP      
- iwn.dat
- iw.dat.
- ixn.dat
- ix.dat

5. Find Estigma.hta (file size : 354 bytes) in Drive C and delete it.

6. After selecting [Start] -> [execute], input "notepad c:repair.reg". Select "(Yes)".

7. Copy and paste the following contents or directly input.

REGEDIT4

[HKEY_CLASSES_ROOTregfileshellopencommand]
@="regedit.exe "%1""

[-HKEY_CLASSES_ROOTkeyfile]

[HKEY_CURRENT_USER
     SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"DisableRegistryTools"=-

[HKEY_CURRENT_USER
     SoftwareMicrosoftWindowsNTCurrentVersionPoliciesSystem]
"DisableRegistryTools"=-

[HKEY_LOCAL_MACHINE
     SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"DisableRegistryTools"=-

[HKEY_LOCAL_MACHINE
     SoftwareMicrosoftWindowsCurrentVersionRun]
"Kernel32"=-
"Israfel"=-

8. Click [File] -> [Close]. Select "(Yes)", if it asks whether you will save it or not.

9. Press "Ctrl+Alt+Delete" and reboot the system.

* Using ViRobot to repair is recommanded to prevent any error that may occur during manual repair.  



List
Copyright 2008 @ HAURI Inc. All rights reserved. SiteMap