Summary
Galil is an email worm that appeared on 4th of December 2002. On 5th of December we also received copies of this worm packed with UPX file compressor. The worm spreads in emails as a ZIP or EXE file and a message that teases a user to run the attached file. As the worm does not use Iframe exploit, its spreading is limited.
Removal
To disinfect the worm it's enough to delete its 3 files from Windows System directory.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First, check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
The worm's file is a self-extracting archive about 80kb long, the UPX-packed version is 50kb long. When run, the worm shows a fake Flash animation:
Then the worm installs itself into Windows System folder as:
ILLEGAL.EXE - worm's own copy
MPLAYER.EXE - main worm's file
SMTP.OCX - standard Microsoft's SMTP control for Visual Basic
The main worm's file MPLAYER.EXE is written in Visual Basic and compressed with UPX, it makes itself hidden when run. The autostart Registry key is created for this MPLAYER.EXE file:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "iLLeGal" = "%WinSysDir%\Mplayer.exe"
The worm also creates a counter in the following Registry key:
[HKEY_LOCAL_MACHINE\iLLeGal]
This counter is incremented every time the worm runs. When the counter value reaches 5, the worm deletes all files on drives D:, E:, F: and G:. After that the worm shows a message:
ZaCker No Peace Without war,i hate war but im forced to love it, Hidden Power's gonna b there wherever u r
The worm searches HTM and HTML files on an infected hard drive for email addresses and stores them in MMAILS.DLL file. Then the worm gets user's email address and SMTP server name, logs into the server and sends itself out to all found email addresses. The infected message usually looks like that:
From: [user's email or User5@FBI.gov] Subject: Fw: Crazy illegal sex ! Body: Note: forwarded message attached. ------------------------------------------------------------------------ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Forwarded Message [ Save to my Yahoo! Briefcase | Download File ] From: Sara1987@yahoo.comTo: Virgin_gurlz_N_boyz@yahoogroups.com Date: 24 Aug 2002 17:11:18 -0000 Subject: Fwd: Crazy illegal Sex ------------------------------------------------------------------------ Hii Is it really illegal in da USA? who knows :P If u have a weak heart i warn u DON'T see dis Clip. Emagine two young children havin crazy sex fo da first time togetha ! loooool i'm still wonderin where thier parents were? Good F*ck , oh sorry :" i mean Good Luck ;) Bye
The worm is attached to the infected message as ILLEGAL.EXE or ILLEGALSEX.ZIP file. There can be several copies of the worm attached to the same email.
The message body can also contain a random text file that the worm found on an infected hard drive.
The worm does not use Iframe exploit to run its file automatically on recipients' systems. Nowdays social engineering does not work as well as it used to work before, so the worm's spreading is quite limited as many users do not run unknown files that they receive in emails.
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
Award‑winning antivirus and malware protection
Online browsing, banking, and shopping protection
24/7 online identity and data breach monitoring
Unlimited VPN service to safeguard your privacy
Password manager with private data protection
Choose how many devices you want to protect to get started.
Free customer support
Cancel anytime
The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.