This type of worm is embedded in an email attachment, and spreads using the infected computer's emailing networks.
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Email-Worm:VBS/Gedza.B is a very nasty worm which performs a variety of date-triggered actions every month. It is particularly troublesome because, in addition to spreading by email attachments like most email worms, it is also coded to be able to use numerous other vectors, including removable media and Peer-to-Peer (P2P) networks.
Whether the individual's system is infected automatically, or requires the individual to perform some action first, depends on how the worm is propagated. For example, if the worm comes in contact with the recipient's system over a network, it does not require any action from the recipient to infect the system; but if it arrives through email or a Word document, the recipient must open the email or document to infect the system.
Upon execution, the worm will install various files on the system, including an EXE file which is an antivirus program disabler and a zipped copy of the worm itself, which is the version sent out to email addresses harvested from the infected system. It also makes a variety of registry key changes designed to allow the malware to run on every startup; to lower the Excel and Word programs security levels; and to disable further registry editing.
Once installed, the worm appears to launch an innocuous image of Avril Lavigne. On certain dates every month however, the worm will perform a certain action, with different actions performed on different dates.
On the 3rd of every month:
On the 11th of every month:
On the 19th of every month:
On the 26th of every month:
On the 29th of every month:
The worm causes the user's browser to open at the website https://www.avril-lavigne.com.
In addition to the various annoying date-triggered actions, the worm causes trouble by spreading through a exceptionally large number of ways.
1) It can spread through disks and removable drives by:
2) It can spread through email by:
3) It can spread through Peer-to-Peer (P2P) networks by:
4) It can spread through networks by:
5) It can spread through IIS servers by:
6) It can spread through Excel and Word by:
7) It can spread through mIRC by:
Creates these files:
Modified these files:
Sets these values: