McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/P2P.Torres.Worm (CA)

• Worm.P2P.Gemel.a (AVP)

• WORM_GEMEL.A (Trend)

Characteristics

This worm can spread via floppy disk, file sharing on KaZaa, and ICQ.

When run, the worm deletes the following system files:

• regedit.exe
• msconfig.exe

It creates a text file and displays its content using Notepad. The worm creates the following registry key in order to run at Windows start up:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "GEDZAC" = "C:\Windows\Guindows\GEDZAC.EXE"

It creates several other registry keys for displaying purpose, such as changing the MSNMessenger chat warning message.

The worm copies itself to c:\WINDOWS\Guindows\GEDZAC.EXE. It also creates lots of copies in the following folders, if the folders exist on the machine.

• c:\Program Files\Grokster\My Grokster
• c:\ARCHIV~1\Grokster\My Grokster\
• c:\Program Files\Morpheus\My Shared Folder\
• c:\archiv~1\Morpheus\My Shared Folder\
• c:\Program Files\ICQ\shared files
• c:\archiv~1\ICQ\shared files\
• c:\Program Files\KaZaA\My Shared Folder\
• c:\ARCHIV~1\KaZaA\My Shared Folder\

The file name has one of the following extensions: .bat, .com, .exe, .pif, .scr. The worm periodically writes itself to floppy disk as a:\Atentados Terrorista.

Symptoms

Method of Infection

This worm spreads via floppy diskette, KaZaa, and ICQ.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/P2P.Torres.Worm (CA)

• Worm.P2P.Gemel.a (AVP)

• WORM_GEMEL.A (Trend)

Characteristics

Characteristics -

This worm can spread via floppy disk, file sharing on KaZaa, and ICQ.

When run, the worm deletes the following system files:

• regedit.exe
• msconfig.exe

It creates a text file and displays its content using Notepad. The worm creates the following registry key in order to run at Windows start up:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "GEDZAC" = "C:\Windows\Guindows\GEDZAC.EXE"

It creates several other registry keys for displaying purpose, such as changing the MSNMessenger chat warning message.

The worm copies itself to c:\WINDOWS\Guindows\GEDZAC.EXE. It also creates lots of copies in the following folders, if the folders exist on the machine.

• c:\Program Files\Grokster\My Grokster
• c:\ARCHIV~1\Grokster\My Grokster\
• c:\Program Files\Morpheus\My Shared Folder\
• c:\archiv~1\Morpheus\My Shared Folder\
• c:\Program Files\ICQ\shared files
• c:\archiv~1\ICQ\shared files\
• c:\Program Files\KaZaA\My Shared Folder\
• c:\ARCHIV~1\KaZaA\My Shared Folder\

The file name has one of the following extensions: .bat, .com, .exe, .pif, .scr. The worm periodically writes itself to floppy disk as a:\Atentados Terrorista.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

This worm spreads via floppy diskette, KaZaa, and ICQ.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A