Home / malware Worm:Win32/Gegitoub.B
First posted on 23 August 2010.
Source: SecurityHomeAliases :
Worm:Win32/Gegitoub.B is also known as IM-Worm.Win32.QiMiral.ax (Kaspersky), Worm.QiMiral.AF (VirusBuster), Win32.HLLW.Natchs (Dr.Web), Win32/QiMiral.AC (ESET), Trj/Spybot.AJX (Panda), TSPY_SNATCHER.A (Trend Micro).
Explanation :
Worm:Win32/Gegitoub.B is a worm that spreads via the instant messaging program ICQ. It can conduct a pseudo-conversation with a user's contacts by replying certain statements depending on keywords that the contact may write.
Top
Worm:Win32/Gegitoub.B is a worm that spreads via the instant messaging program ICQ. It can conduct a pseudo-conversation with a user's contacts by replying certain statements depending on keywords that the contact may write. Installation Worm:Win32/Gegitoub.B may arrive in the computer posing as a game with the file name "snatch.exe". On execution, it displays the following splash page and proceeds with its malicious routines: Spreads via... Instant messaging programs Worm:Win32/Gegitoub.B attempts to send a copy of itself as a message attachment sent out to all of a user's contact in the Internet Chat application ICQ. It connects to the ICQ server at the address 64.12.201.185. It checks for replies containing several strings or substrings in Cyrillic and can reply with a corresponding message supposedly from the infected ICQ user. For example, if the contact's reply contains any of these strings: Cyrillic Approximate English translation троÑн Trojan трой Troy вирь Vyr Ð²Ð¸Ñ€ÑƒÑ virus Worm:Win32/Gegitoub.B replies with any of these statements: Cyrillic Approximate English translation нет, что Ñ‚Ñ‹? как можно?! ) No, what are you? How do I?! ) нет, глÑнь ))) No, is))) If the contact's reply contains any of these strings: Cyrillic Approximate English translation чито chito що Scho шо Sho че Che чё Human чо Cho что that Worm:Win32/Gegitoub.B replies with any of these statements: Cyrillic Approximate English translation ну мини игра типа ) Well mini game type ) глÑнь )) is )) If the contact's reply contains any of these strings: Cyrillic Approximate English translation не могу I can't ринимает ADOPTS Worm:Win32/Gegitoub.B replies with any of these statements: Cyrillic Approximate English translation включи в наÑтройках передачу файлов ) turn it on in preferences file transfers ) If the contact's reply contains any of these strings: Cyrillic Approximate English translation Ð°Ñ…ÑƒÑ ahuâ ачем Hy Worm:Win32/Gegitoub.B replies with any of these statements: Cyrillic Approximate English translation а зачем рыбе велоÑипед? ) and why fish wheel? ) If the contact's reply contains any of these strings: Cyrillic Approximate English translation Бот Boat бот boat Worm:Win32/Gegitoub.B replies with any of these statements: Cyrillic Approximate English translation ÑÑÑ€¦ Ñам Ñ‚Ñ‹ бот =\ er... you boat =\ If the contact's reply contains any of these strings: Cyrillic Approximate English translation Ð¡ÐµÐ¹Ñ‡Ð°Ñ Now ÑÐµÐ¹Ñ‡Ð°Ñ now Теперь Now теперь now Пробуй Try Ðну Anu ану anu Передай Pass передай pass Передавай Transfer передавай transfer Кидай Dodge кидай dodge Кинь Kinh кинь kinh ОпÑÑ‚ÑŒ Again опÑÑ‚ÑŒ again Снова Once again Ñнова once again Еще More еще more Worm:Win32/Gegitoub.B replies with this statement: file If the contact's reply contains any of these strings: Cyrillic Approximate English translation Ñпам spam Worm:Win32/Gegitoub.B replies with any of these statements: Cyrillic Approximate English translation где Ñто видано чтоб Ñпаммеры файлы Ñлали? Ñто Ñ ÑˆÐ»ÑŽ! Where have you seen so spammers were sending files? I send it! Payload Terminates processes Worm:Win32/Gegitoub.B searches for and terminates the following processes related to instant messenger applications, if found:icq.exe qip.exe infium.exe
Analysis by Marianne MallenLast update 23 August 2010
