Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Galil.A

W32/Lagel.A, Win32.Holar.C

Win32/Galil.A is a worm spreading in the form of an email file attachment.  It is written in Visual Basic and compressed with UPX.  The size of the worm is 80 626 bytes.

The worm arrives with the message containing subject "Fwd: Crazy illegal Sex".  In the attachment of such a message there is a file iLLeGaL.exe.  The following text is in the body of the message:

Hii

Is it really illegal in da USA?
who knows :P
If u have a weak heart i warn u
DON'T see dis Clip.
Emagine two young children havin
crazy sex fo da first time togetha !
oooool i'm still wonderin where thier
parents were?

Good Fuck , oh sorry :">
i mean Good Luck ;)

Bye

After the fileiLLeGaL.exe is running the worm Win32/Galil.A is activated resulting in the opening of following animated window:

After the animation is completed the following window is displayed:

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation.

The worm is copied into the directory %windir%/System under the name iLLeGaL.exe.  At the same time it creates in this directory files Mplayer.exe and SMTP.OCX.  It also creates an item iLLeGaL in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices having value "C:\%windir%\SYSTEM\Mplayer.exe". This key assures that the worm will run after the system reboots.

When worm's activity is completed it sends the email message with its copy to all acquired addresses.  In the body of the worm there is also text, probably the signature of author:

Made By ZaCker

In the body of the worm there is a code capable of deleting the content of D:, E:, F: a G: drives.

 

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.