McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This virus, written in Visual Basic 6.0, spreads by copying itself to floppy discs as NUDEBABES.SCR. Additionally, it attempts to deliver a destructive file deletion payload.

When run on the victim machine:

• it copies itself to %WinDir% as GAGO.EXE
• the following Registry key is set to run the virus at startup:
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  Run "Aileen Picture" = %WinDir%\GAGO.EXE
  
  
• the following graphic is displayed:
  
  
  
  
• subsequently, the file deletion payload is delivered. The virus attempts to delete all files on the local hard drive. (This was not observed in testing, but is supported by strings within the virus, and from a field report AVERT has received.)

Symptoms

• %WinDir%\GAGO.EXE (20,480 bytes)
• display of the above graphic

Method of Infection

The virus installs itself on the victim machine as %WinDir%\GAGO.EXE upon execution.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This virus, written in Visual Basic 6.0, spreads by copying itself to floppy discs as NUDEBABES.SCR. Additionally, it attempts to deliver a destructive file deletion payload.

When run on the victim machine:

• it copies itself to %WinDir% as GAGO.EXE
• the following Registry key is set to run the virus at startup:
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  Run "Aileen Picture" = %WinDir%\GAGO.EXE
  
  
• the following graphic is displayed:
  
  
  
  
• subsequently, the file deletion payload is delivered. The virus attempts to delete all files on the local hard drive. (This was not observed in testing, but is supported by strings within the virus, and from a field report AVERT has received.)

Symptoms

Symptoms -

• %WinDir%\GAGO.EXE (20,480 bytes)
• display of the above graphic

Method of Infection

Method of Infection -

The virus installs itself on the victim machine as %WinDir%\GAGO.EXE upon execution.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A