VBS/Gaggle@MM

This VBScript mass-mailing worm infects HTML files, overwrites VBS files, configures Outlook Express to use an infected file for a signature, spreads via mIRC, and deletes system files. It arrives in an email message in two forms:

Embedded in an email message:
The virus can exploit the old scriptlet.typelib/Eyedog vulnerability in Internet Explorer. When received in the body of an email message, the virus will automatically run upon viewing the infected message on a vulnerable system. The virus will then copy itself to the Start Up folder as an HTML application file, Gaghiel.hta. When this .HTA file is run, it performs the actions described below, when the .HTML version is run.

As an email attachment:
The virus can arrive in an email message containing the following information:

Subject: Efectos en web
Body: Hola, te envio esta pagina, tiene unos muy buenos efectos, a mi me sorprendio
Te escribo luego, hay una cosa que quiero contarte.
Adios
or
Subject: Descargas gratis
Body: Hola, encontre una pagina en la que se puede descargar gran variedad
de cosas, como musica, programas y libros; la descarga es gratis
claro que hay que aguantar un poco de publicidad pero es buena pagina.
Te envio una parte de la pagina que descargue para que veas,
a tiene efectos y hay que aceptar el cuadro que da, sino no carga.
Luego te escribo, Adios
or
Subject: Revista virtual
Body: Hola, te envio el prospecto de suscripcion de una buena revista virtual,
la revista llega a tu email y se puede leer como pagina web
la pagina de suscripcion es interactiva, mirala a ver que te parece. Adios
or
Subject: Articulo
Body: Te envio este articulo que encontre en internet, es interesante y tal vez te sirva,he estado un poco ocupado, luego te cuento.
Adios
or
Subject: Correo Seguro
Body: Estaba navegando en internet, y en una pagina
vi un anuncio de una empresa de antivirus
que revisaba si habia virus en el buzon de correo del servidor
antes de que llege a tu computadora, la ventaja es que
a diferencia de los antivirus caseros que no detectan virus nuevos
ellos si los detectan ya que su base de datos esta actualizada
a cada instante, hay mas detalles en la pagina que te envio,
leela a ver que te parece, el servicio es gratis
Adios y hasta pronto

Attachment: Angeldel.html

When the HTML virus attachment is accessed an ActiveX warning message may appear:

If the user selects NO, another message is displayed.

If the user allows the script to run, the virus checks for the presence of the .HTA versions of the worm in the Start Up folder. If it exists, the WININIT.INI file is configured to delete the HTA file upon restart. The writes a copies itself to the Windows directory as Gaghiel.html and Default.sfc, and the Windows System directory as Gaghiel.vbs and AngelDelMar.html. Two registry keys are created:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\Gaghiel=C:\WINDOWS\SYSTEM\Gaghiel.vbs
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run Domain Manager\Gaghiel=C:\WINDOWS\SYSTEM\Gaghiel.vbs

Each address in the Outlook address book is sent the virus using Microsoft Outlook and then logged in the registry:

• HKEY_CURRENT_USER\Software\Microsoft\GHSetup\%recipient's name%= LCL

Microsoft Outlook Express is configured to send messages in HTML format, and to use the file %WinDir%\Gaghiel.html as the default stationary.

Via Internet Relay Chat

The virus creates a SCRIPT.INI file that uses mIRC to send itself to IRC user who join the channel of the infected user. A message is sent to the user:

Message: Hola, Crees en lo Paranormal?, si no mira la pagina que te enviamos y visita www.gratisweb.com/[blocked]
File: C:\WINDOWS\SYSTEM\AngeldelMar.html

File infection
The virus will append .ASP, .HTA, .HTM, and .HTML files while prepending the files with the text Gaghiel. The virus also overwrites all .VBS files.

Payloads

At random, the virus will delete files using the following extensions:

• CHI
• CHM
• CPP
• CTL
• DLL
• EXE
• H
• HLP
• ICO
• RGS
• TLB
• XLA

It also deletes the following files:

• MSCONFIG.*
• REGEDIT.*
• SFC.*

If the month + the day = 30, the virus displays a message box:

If the day of the month is greater than 25, the virus sets the default Internet Explorer start page to:
www.gratisweb.com\[blocked]

Presence of Gaghiel.vbs in the WINDOWS SYSTEM directory and Gaghiel.html in the WINDOWS directory.

The virus spreads via IRC, email, and file infection. It spreads Microsoft Outlook Express, exploiting the scriptlet.typelib/Eyedog vulnerability, or by sending itself through Microsoft Outlook as an attached HTML document. In embedded form, the virus will get executed simply when the message is read, on vulnerable systems.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

• Insert the Windows XP CD into the CD-ROM drive and restart the computer.
• When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
• Select the Windows installation that is compromised and provide the administrator password.
• Issue 'fixmbr' command to restore the Master Boot Record
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

• Insert the Windows CD into the CD-ROM drive and restart the computer.
• Click on "Repair Your Computer".
• When the System Recovery Options dialog comes up, choose the Command Prompt.
• Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.