Virus

VBS/Gormlez.A@mm

Analysis

VBS/G0mez.A-mm is Visual Basic Script mass mailer worm. It propagates by sending email to all Microsoft Outlook Email Address stored in an infected computer. It can also propagate using Music Internet Sharing.
The email has a subject of "Re: Hello", body of "Hey There :-)" and attachment of Hello.vbs. Once this file is executed, it will decrypt itself using a number to character translation. Then, it will spawn by copying itself to the following files:
c:\Hello.vbs
c:\WINDOWS\System32\VBS_Update-0548656X.vbs
c:\WINDOWS\WinFIX1.0.vbs
c:\WINDOWS\WinUpdater5.0.vbs
c:\ICQNET.vbs
c:\WINDOWS\System32\G0mez.vbs
After copying, it inserts entries into registry to auto execute itself after boot up of windows -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ VBS_AUTO_UPDATE = C:\WINDOWS\System32\VBS_Update-0548656X.vbs
FIX = C:\WINDOWS\WinFIX1.0.vbs
UPDATE = C:\WINDOWS\WinUpdater5.0.vbs
ICQ = C:\ICQNET.vbs
G0mez = C:\WINDOWS\Systems32\G0mez.vbs
Then, this VBS disables registry editors such as Regedt32.exe and Regedit.exe. With a random of 1 out of 4, it displays a message box with a title of "This is the w0rk 0f g0mez" and message of "Y0ur c0mputer has been infected by G0mez!."
VBS/G0mez.A-mm propagates through Music Internet Sharing by copying itself to the shared folder of following programs
KMD
KaZaA Lite
Morpheus
BearShare
Edonkey2000
using the following names:
Porno-Pic.Jpg.vbs
Cool-Games.Exe.vbs
IN-DA-CLUB.Mp3.vbs
SecretFBIDocs.doc.vbs
HowToRipDVDs.txt.vbs
PORNO.mpg.vbs
COOL-GAMES.exe.vbs
Using another random of 1 out of 3, it creates a file "Warning.txt" in root directory of drive C. Then, open the file using a text editor. The content is
You have been infected by G0mez!"
Go to any AV sites and update you AV software !!!
- Best Regards: G0mez Author
Using a random choice in 1 out of 3 chances, the virus attempts to shutdown the machine by sending a message to the system.
And the last step of this VBS is that it will call a procedure called "PCG0wnZ()." This procedure will do a recursive for all sub-folders. And, if any file with extensions of dll, vbs, vbe, exe and, wsh, it replaces the file with its own file using the file name plus a ".vbs" extension. It also does a checking for a file if the name is "Norton", then replace the file with its own file.

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option