VBS/G0mez.A-mm is Visual Basic Script mass mailer worm. It propagates by sending email to all Microsoft Outlook Email Address stored in an infected computer. It can also propagate using Music Internet Sharing.
The email has a subject of "Re: Hello", body of "Hey There :-)" and attachment of Hello.vbs. Once this file is executed, it will decrypt itself using a number to character translation. Then, it will spawn by copying itself to the following files:
After copying, it inserts entries into registry to auto execute itself after boot up of windows -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ VBS_AUTO_UPDATE = C:\WINDOWS\System32\VBS_Update-0548656X.vbs
FIX = C:\WINDOWS\WinFIX1.0.vbs
UPDATE = C:\WINDOWS\WinUpdater5.0.vbs
ICQ = C:\ICQNET.vbs
G0mez = C:\WINDOWS\Systems32\G0mez.vbs
Then, this VBS disables registry editors such as Regedt32.exe and Regedit.exe. With a random of 1 out of 4, it displays a message box with a title of "This is the w0rk 0f g0mez" and message of "Y0ur c0mputer has been infected by G0mez!."
VBS/G0mez.A-mm propagates through Music Internet Sharing by copying itself to the shared folder of following programs
using the following names:
Using another random of 1 out of 3, it creates a file "Warning.txt" in root directory of drive C. Then, open the file using a text editor. The content is
You have been infected by G0mez!"
Go to any AV sites and update you AV software !!!
- Best Regards: G0mez Author
Using a random choice in 1 out of 3 chances, the virus attempts to shutdown the machine by sending a message to the system.
And the last step of this VBS is that it will call a procedure called "PCG0wnZ()." This procedure will do a recursive for all sub-folders. And, if any file with extensions of dll, vbs, vbe, exe and, wsh, it replaces the file with its own file using the file name plus a ".vbs" extension. It also does a checking for a file if the name is "Norton", then replace the file with its own file.
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option