high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | December 2006 (4.12) |
| Protection available since | 2 November 2006 07:40:49 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/GFail-A is a proof-of-concept mass-mailing worm for the Windows platform.
When first run W32/GFail-A displays the following fake warning message box:
'The Gmail Notifier update (1.0.26.0) has been successfully installed! You can now log in to your Gmail account.'
W32/GFail-A includes functionality to send itself via email to harvested email addresses. However when tested this functionality appears not to be implemented properly in this variant, and as such it does not spread in its current form.
The email functionality is set to create emails in the following format, with details filled in to make the email look more authentic:
Subject line:
'Critical patch for Gmail Notifier and Gmail web services!'
Message text:
'Dear User,
,due to the recent discoveries of a password vulnerability in Gmail Notifier and a HTML-weakness on the Gmail website, we've after due consideration decided to release an update by e-mail to ensure that our customers are updated with the latest protection.
Please consult the attachment for more information. The details can be found below.
Sincerely,
The Gmail Team'
The attached file (a copy of the worm) consists of names chosen from:
GmailFix.rar
GmailUpdate.rar
GmailHotfix.rar
GmailPatch.rar
GmailUpdate.exe
gnotify.exe
GmailHotfix.exe
GmailUpdater.exe
gmailupd.exe
W32/GFail-A also attempts to harvest username and passwords related to Gmail webmail accounts by displaying a fake login screen with the title 'Gmail Notifier' and the text 'Please log in to your Gmail Account'.
W32/GFail-A includes functionality to disable anti-virus, security and system related processes.
W32/GFail-A is a proof-of-concept mass-mailing worm for the Windows platform.
When first run W32/GFail-A displays the following fake warning message box:
'The Gmail Notifier update (1.0.26.0) has been successfully installed! You can now log in to your Gmail account.'
W32/GFail-A then copies itself to <System>\GNOTIFY.exe.
The following registry entry is set to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(random ClassID)
<System>\GNOTIFY.EXE
The following registry entry is also set:
HKCU\Software\Google\Gmail Notifier
UpdateInstalled
1
W32/GFail-A includes functionality to send itself via email to harvested email addresses. However when tested this functionality appears not to be implemented properly in this variant, and as such it does not spread in its current form.
The email functionality is set to create emails in the following format, with details filled in to make the email look more authentic:
Subject line:
'Critical patch for Gmail Notifier and Gmail web services!'
Message text:
'Dear User,
,due to the recent discoveries of a password vulnerability in Gmail Notifier and a HTML-weakness on the Gmail website, we've after due consideration decided to release an update by e-mail to ensure that our customers are updated with the latest protection.
Please consult the attachment for more information. The details can be found below.
Sincerely,
The Gmail Team'
The attached file (a copy of the worm) consists of names chosen from:
GmailFix.rar
GmailUpdate.rar
GmailHotfix.rar
GmailPatch.rar
GmailUpdate.exe
gnotify.exe
GmailHotfix.exe
GmailUpdater.exe
gmailupd.exe
W32/GFail-A also attempts to harvest username and passwords related to Gmail webmail accounts by displaying a fake login screen with the title 'Gmail Notifier' and the text 'Please log in to your Gmail Account'.
W32/GFail-A includes functionality to disable anti-virus, security and system related processes.
|
