Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

VBS.Gaggle.B@mm

VBS.Gaggle.B@mm

Discovered:
18 December 2002
Updated:
13 February 2007
Systems Affected:
Windows

VBS.Gaggle.B@mm:
  • Is a mass-mailing worm that uses Microsoft Outlook to send itself to all the contacts in the Outlook Address Book
  • Also attempts to spread through mIRC.
  • Appends itself to all the .asp, .hta, .htm, .html, .msconfig, .php, .phtm, .phtml, .plg, .regedb32, .sfc, .shtm, and .shtml files in all the folders of all the drives, except in the root folders.
  • Overwrites all the .vbs files in all the folders of all the drives with itself, except for the .vbs files in the root folders.
  • Deletes the files Msconfig.exe and Regedit.exe.

The email can have various subjects, messages, and attachments.


Antivirus Protection Dates

  • Initial Rapid Release version 19 December 2002
  • Latest Rapid Release version 28 September 2010 revision 054
  • Initial Daily Certified version 19 December 2002
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date 24 December 2002
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

VBS.Gaggle.B@mm may arrive as one of the following email messages:

Subject: Su computadora es un Zombi?
Attachment: PcZombi.html
Message:
Debido al reciente ataque a los servidores
raiz DNS de la red, el FBI a determinado q' tan solo
en EEUU, hay 80.000 computadoras zombis.
Zombis se aplica a las Pc, afectadas por un RAT
(Troyano de Acceso Remoto), q' a diferencia de virus
y gusanos no dan sintomas, por lo que la mayoria de
usuarios desconoce que sus Pc estan infectadas y
siendo accedidas para robar informacion o lanzar
ataques a otras maquinas.
Como saber si su computadora esta infectada con
un RAT, en la pagina adjunta.
www.gratisweb.com/machinedramon1/gaghiel.html

Subject: Windows y Osama Ben Laden
Attachment: RAT seguridad.html
Message:
Debido a las recientes declaraciones de
un mienbro de Al-Qaida(Red de Ben Laden), de que
infiltrados entre los tecnicos de Microsoft, abri
an, incluido dentro del codigo de algunas versio
nes Windows, una Puerta Trasera(Troyano), para
poder acceder a las maquinas y robar informacion
o usarlas para un ataque coordinado.
Aunque Microsoft a negado esto, el FBI investiga
y agencias como la CIA, han cambiado los sistemas
de sus PCs, para evitar un ataque.
Como saber si su Pc esta afectada en la pagina
adjunta
www.gratisweb.com/machinedramon1/gaghiel.html

Subject: Te envio la info que me pediste
Attachment: InformacionCuentas.html
Message:
Hola, se me perdio el papel q' me
diste con tu mail, ojala no me haya equivocado al
escribirla.
Te envio la info q' me pediste(confidencial)
Reenviame la direccion de tu mail, saludame a
Raúl y despideme de Patty. Adios
www.gratisweb.com/machinedramon/gaghiel.html

Subject: VirtualLetter
Attachment: VirtualLetter.html
Message:
Una targeta virtual le ha sido enviada
desde esta direccion de correo.
los datos del remitente de la targeta y donde
verla, en la pagina adjunta.
Tiene 7 dias a partir de hoy, para ver o descar
gar su targeta antes de que sea borrada
VirtualLetter, un servicio de LatinRed
Email enviado sin acentos
www.gratisweb.com/machinedramon/gaghiel.html

Subject: Sexalud
Attachment: Sexalud.html
Message:
Sexalud,la pagina de Terra para resolver
tus dudas de sexualidad.
Visitanos en www.terra.com.pe/sexalud
Un Test para saber si eres buen(a) amante en la
pagina adjunta
www.gratisweb.com/machinedramon/gaghiel.html

Subject: Ouija Online
Attachment: OuijaTabler.hta
Message:
Alguna vez tuviste curiosidad por saber los misterios de
la Ouija, ahora podras conocerlos e incluso jugarla en tu Pc
Mira el tablero interactivo que te enviamos, para obtener informacion
presiona el boton INFO o visita nuestro web: http://www.gratisweb.com/
machinedramon1/gaghiel.html

Subject: Espias del mas alla
Attachment: Psicofonia.hta
Message:
Has escuchado alguna vez de las psicofonias o videos psiquicos?
Visita nuestra web: http://www.gratisweb.com/machinedramon1/gaghiel.html
Escucha la voz de los muertos, (*$*)

Subject: Advertencia de Envio Spam
Attachment:   Informe2-p.hta
Message:
Su Cuenta ha sido denunciada por el envio de Spam(Correo no Deseado).
De repetirse la situación se procederá a la clausura de su cuenta de e-mail.
Los detalles en el informe adjunto.
Atentamente Security IQEl S.A.

Subject: Registro
Attachment: UserRegister.hta
Message:
Su registro se ha realizado con exito, su nombre y clave de usuario
estan en el texto adjunto, así como las normas y derechos de cada usuario.
Su UserName y Clave son de uso personal y no deben ser revelados, el unico
responsable de ellos es usted
Atentamente Security IQEl S.A.

Subject: Investigacion
Attachment: InformeUFO.hta
Message:
La investigación que solicitó, tardara aún en resolverse, los
resultados parciales los encontrara en el texto adjunto.
En 15 días le comunicaremos los resultados finales.
Atentamente Security IQEl S.A.


The attachment is 54,680 bytes in length. If you execute the attachment, it does the following:
  • It opens an Internet Explorer window. The windows title bar displays the text:

    Naria y Erya

    and the window contains the message:

    Gaghiel
    Error Cargando : 2015

    Next, Windows may display this ActiveX warning message:



  • If you click Yes, the worm will create the file C:\%system%\Gaghiel.vbs, which is 24,712 bytes in length.

    NOTE: %System% is a variable. The worm locates the Windows System folder and copies itself to that location. By default, this is C:\Windows\System(Windows 95/98/Me), C:\Windows\System32 (Windows XP), or C:\Winnt\System32 (Windows 2000/NT).

    Then it adds a value:

    Gaghiel C:\%system%\Gaghiel.vbs

    to the registry keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you restart Windows.

  • Creates the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Domain Manager

    with the same value

    Then the worm displays the message:




When VBS.Gaggle.B@mm runs from the .vbs file, it does the following:
  • It creates these files:
    • C:\%windir%\Gaghiel.html
    • C:\%system%\AngeldelMar.html
    • C:\%temp%\PcZombi.html
    • C:\%temp%\RAT seguridad.html
    • C:\%temp%\InformacionCuentas.html
    • C:\%temp%\VirtualLetter.html
    • C:\%temp%\Sexalud.html

      The Gaghiel.html file is 37,524 bytes in length. The other 6 files are 54,680 bytes in length.

    NOTES:
    --
    %Windir% is a variable. The worm locates the Windows installation folder and copies itself to that location. By default, this is C:\Windows or C:\Winnt.
    -- %Temp% is a variable. The worm locates the Windows temporary folder and copies itself to that location. For example, this is C:\Windows\Temp on a
    Windows 95/98 system.
  • Next, overwrites the .vbs files in all the folders of all the writeable drives with itself, except for the .vbs files in the root folders.

  • Searches for the uninfected files that have the .asp, .hta, .htm, .html, .msconfig, .php, .phtm, .phtml, .plg, .regedb32, .sfc, .shtm, or .shtml extensions. It looks for these files in all the folders and all the writeable drives, except for the root folders. Then, it appends itself to the files it finds. Also, it prepends the text "Gaghiel" to the files. The infected files are increased by 54,588 bytes.

  • Deletes any files that have the .asp, .hta, .htm, .html, .msconfig, .php, .phtm, .phtml, .plg, .regedb32, .sfc, .shtm, or .shtml as their file names from all the folders and all the writeable drives, except the root folders.

  • If the current system date is greater than 25, the worm changes the value of the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\start Page

    to:

    http:/ /www.gratisweb.com/machinedramon1/sachiel.jpg.scr
    NOTE: Symantec antivirus products detect the downloaded file sachiel.jpg.scr as W32.Sachiel.

If the current system month + current system date = 30, the worm displays this message:




The worm then uses Microsoft Outlook to send itself to all the contacts in the Outlook Address Book.

If Mirc32.exe or Mirc.ini exists, the worm will create Chanel.hlp in the same folder as Mirc32.exe or Mirc.ini. Chanel.hlp is 2,842 bytes in length. By opening Chanel.hlp, the worm may send itself to other mIRC users who connect in the same channel as the infected computer.

The worm also deletes these files:
  • Msconfig.exe (Windows 98/Me/XP only).
  • Regedit.exe.


Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.


The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan and delete all the files detected as VBS.Gaggle.B@mm or W32.Sachiel.
  4. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.


Note: If the .vbs component has run, and has successfully deleted Regedit.exe and Msconfig.exe, you will have to restore Regedit.exe before you can remove the registry entries that were created by the worm. Msconfig.exe can be restored to Windows 98/Me/XP systems at that time as well. Please see your Windows documentation for instructions on how to do this.


1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder ," Article ID: Q263455.

2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

    The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Scanning for and deleting the infected files
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with VBS.Gaggle.B@mm or W32.Sachiel, click Delete.



4. Deleting the value from the registry


WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    "Gaghiel"="C:\%System%\Gaghiel.vbs "

  5. Click Registry, and then click Exit.


Writeup By: Yana Liu