W32/Gael.worm.a

This detection covers a parasitic worm virus that spreads to both host executables as well as over accessible systems on a network.  The worm also downloads and executes other files.

When run, the worm infects .EXE files on the local system, appending itself to host files.  10 threads are created to search for infectable computers on the Internet, SYN packets are sent to random IP addresses on TCP 139 (netbios).  The worm then attempts to connect to responding systems via the IPC$ and open shares to parasitically infect files remotely.

The worm also attempts to download and execute a file name dl.exe from utenti.lycos.it .  At the time of this writing the site was not responding.  However, the virus was known to fetch a downloader trojan, Downloader-ACX, which downloaded two other files:

• GAELICUM.EXE - dropper of W32/Gael.worm
• CBACK.EXE - a new remote access trojan, BackDoor-CTM

- Excessive netbios traffic emanating from infected system
- Presence of DL.EXE, GAELICUM.EXE, and CBACK.EXE

The virus does not create any registry keys or in any other way "install" itself to automatically start on system reboot.

This virus spreads via accessible network shares and by parasitically infecting existng executable files.

All Users:
Use current engine and DAT files for detection and removal.

Close the shares created by this threat:

• From the desktop, double-click My Computer
• Right-click on the C: drive and choose Sharing...
• Click the Not Shared button (or enter in the desired settings) and click OK