McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Gaze (AVP)

• Win32.Gaze (CA)

Characteristics

This mass-mailing worm requires WindowsXP with the .NET framework installed and Microsoft Outlook in order to propagate. Additionally, the propagation is likely to fail on pre-installed or default installation of Windows XP as it depends on the directory C:\WINNT\SYSTEM32.

This threat arrives in an email message containing the following information:

When the attachment is run, the virus copies itself to C:\WINNT\SYSTEM32\GAME.EXE and creates a registry run key to load itself at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\msdosie=C:\WINNT\SYSTEM32\GAME.EXE

It drops a VBScript file that contains the mass mailing routine, C:\WINNT\SYSTEM32\MAIL.VBS. This script file is detected as VBS/Generic@MM with the 4140 DAT files or greater.

The worm does not contain any malicious payloads. Its only function is to spread as outlined above.

Symptoms

Presence of the files C:\WINNT\SYSTEM32\GAME.EXE and C:\WINNT\SYSTEM32\MAIL.VBS

Method of Infection

This worm is designed to run on systems that have been upgraded to WindowsXP with the .NET framework installed. It drops a VBScript file that uses Microsoft Outlook to send itself to all recipients found in the Outlook address book.

Removal

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Gaze (AVP)

• Win32.Gaze (CA)

Characteristics

Characteristics -

This mass-mailing worm requires WindowsXP with the .NET framework installed and Microsoft Outlook in order to propagate. Additionally, the propagation is likely to fail on pre-installed or default installation of Windows XP as it depends on the directory C:\WINNT\SYSTEM32.

This threat arrives in an email message containing the following information:

When the attachment is run, the virus copies itself to C:\WINNT\SYSTEM32\GAME.EXE and creates a registry run key to load itself at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\msdosie=C:\WINNT\SYSTEM32\GAME.EXE

It drops a VBScript file that contains the mass mailing routine, C:\WINNT\SYSTEM32\MAIL.VBS. This script file is detected as VBS/Generic@MM with the 4140 DAT files or greater.

The worm does not contain any malicious payloads. Its only function is to spread as outlined above.

Symptoms

Symptoms -

Presence of the files C:\WINNT\SYSTEM32\GAME.EXE and C:\WINNT\SYSTEM32\MAIL.VBS

Method of Infection

Method of Infection -

This worm is designed to run on systems that have been upgraded to WindowsXP with the .NET framework installed. It drops a VBScript file that uses Microsoft Outlook to send itself to all recipients found in the Outlook address book.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A