This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
Email-Worm:VBS/Gedza.B is a very nasty worm which performs a variety of date-triggered actions every month. It is particularly troublesome because, in addition to spreading by e-mail attachments like most e-mail worms, it is also coded to be able to use numerous other vectors, including removable media and Peer-to-Peer (P2P) networks.
Whether the individual's system is infected automatically, or requires the individual to perform some action first, depends on how the worm is propagated. For example, if the worm comes in contact with the recipient's system over a network, it does not require any action from the recipient to infect the system; but if it arrives through e-mail or a Word document, the recipient must open the e-mail or document to infect the system.
Upon execution, the worm will install various files on the system, including an EXE file which is an antivirus program disabler and a zipped copy of the worm itself, which is the version sent out to e-mail addresses harvested from the infected system. It also makes a variety of registry key changes designed to allow the malware to run on every startup; to lower the Excel and Word programs security levels; and to disable further registry editing.
Once installed, the worm appears to launch an innocuous image of Avril Lavigne. On certain dates every month however, the worm will perform a certain action, with different actions performed on different dates.
On the 3rd of every month:
On the 11th of every month:
On the 19th of every month:
On the 26th of every month:
On the 29th of every month:
The worm causes the user's browser to open at the website https://www.avril-lavigne.com.
In addition to the various annoying date-triggered actions, the worm causes trouble by spreading through a exceptionally large number of ways.
1) It can spread through disks and removable drives by:
2) It can spread through e-mail by:
3) It can spread through Peer-to-Peer (P2P) networks by:
4) It can spread through networks by:
5) It can spread through IIS servers by:
6) It can spread through Excel and Word by:
7) It can spread through mIRC by:
Creates these files:
Modified these files:
Sets these values: