Content

W32/Gaga.worm

Type
Virus
SubType
Floppy Worm
Discovery Date
10/07/2002
Length
20,480 bytes
Minimum DAT
4229 (10/16/2002)
Updated DAT
4292 (09/10/2003)
Minimum Engine
5.1.00
Description Added
10/07/2002
Description Modified
10/07/2002 10:18 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This virus, written in Visual Basic 6.0, spreads by copying itself to floppy discs as NUDEBABES.SCR. Additionally, it attempts to deliver a destructive file deletion payload.

When run on the victim machine:

  • it copies itself to %WinDir% as GAGO.EXE
  • the following Registry key is set to run the virus at startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    Run "Aileen Picture" = %WinDir%\GAGO.EXE

  • the following graphic is displayed:

    hi, gusto mo ba ng ka text mate ako na nga siguro hinahanap mo, heres my number (removed)

  • subsequently, the file deletion payload is delivered. The virus attempts to delete all files on the local hard drive. (This was not observed in testing, but is supported by strings within the virus, and from a field report AVERT has received.)

Symptoms

  • %WinDir%\GAGO.EXE (20,480 bytes)
  • display of the above graphic

Method of Infection

The virus installs itself on the victim machine as %WinDir%\GAGO.EXE upon execution.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This virus, written in Visual Basic 6.0, spreads by copying itself to floppy discs as NUDEBABES.SCR. Additionally, it attempts to deliver a destructive file deletion payload.

When run on the victim machine:

  • it copies itself to %WinDir% as GAGO.EXE
  • the following Registry key is set to run the virus at startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    Run "Aileen Picture" = %WinDir%\GAGO.EXE

  • the following graphic is displayed:

    hi, gusto mo ba ng ka text mate ako na nga siguro hinahanap mo, heres my number (removed)

  • subsequently, the file deletion payload is delivered. The virus attempts to delete all files on the local hard drive. (This was not observed in testing, but is supported by strings within the virus, and from a field report AVERT has received.)

Symptoms

Symptoms -

  • %WinDir%\GAGO.EXE (20,480 bytes)
  • display of the above graphic

Method of Infection

Method of Infection -

The virus installs itself on the victim machine as %WinDir%\GAGO.EXE upon execution.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A