Threat Description

Galil

Details

Aliases: Galil, I-Worm.Galil, W32/Holar.c@MM, W32/Lagel.A, W32/Crillegal.A@mm
Category: Malware
Type: Worm
Platform: W32

Summary


Galil is an e-mail worm that appeared on 4th of December 2002. On 5th of December we also received copies of this worm packed with UPX file compressor. The worm spreads in e-mails as a ZIP or EXE file and a message that teases a user to run the attached file. As the worm does not use Iframe exploit, its spreading is limited.



Removal


To disinfect the worm it's enough to delete its 3 files from Windows System directory.



Technical Details


The worm's file is a self-extracting archive about 80kb long, the UPX-packed version is 50kb long. When run, the worm shows a fake Flash animation:

Then the worm installs itself into Windows System folder as:

ILLEGAL.EXE - worm's own copy

MPLAYER.EXE - main worm's file

SMTP.OCX - standard Microsoft's SMTP control for Visual Basic

The main worm's file MPLAYER.EXE is written in Visual Basic and compressed with UPX, it makes itself hidden when run. The autostart Registry key is created for this MPLAYER.EXE file:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]  "iLLeGal" = "%WinSysDir%\Mplayer.exe"  

The worm also creates a counter in the following Registry key:

[HKEY_LOCAL_MACHINE\iLLeGal]  

This counter is incremented every time the worm runs. When the counter value reaches 5, the worm deletes all files on drives D:, E:, F: and G:. After that the worm shows a message:

ZaCker  No Peace Without war,i hate war but im forced to love it,  Hidden Power's gonna b there wherever u r  

The worm searches HTM and HTML files on an infected hard drive for e-mail addresses and stores them in MMAILS.DLL file. Then the worm gets user's e-mail address and SMTP server name, logs into the server and sends itself out to all found e-mail addresses. The infected message usually looks like that:

From: [user's e-mail or User5@FBI.gov]  Subject: Fw: Crazy illegal sex !  Body:    Note: forwarded message attached.   ------------------------------------------------------------------------  Do You Yahoo!?  Yahoo! Finance - Get real-time stock quotes  Forwarded Message [ Save to my Yahoo! Briefcase  |  Download File ]    From: Sara1987@yahoo.com      To: Virgin_gurlz_N_boyz@yahoogroups.com    Date: 24 Aug 2002 17:11:18 -0000  Subject: Fwd: Crazy illegal Sex   ------------------------------------------------------------------------  Hii  Is it really illegal in da USA?  who knows :P  If u have a weak heart i warn u  DON'T see dis Clip.  Emagine two young children havin  crazy sex fo da first time togetha !  loooool i'm still wonderin where thier  parents were?  Good F*ck , oh sorry :"  i mean Good Luck ;)  Bye  

The worm is attached to the infected message as ILLEGAL.EXE or ILLEGALSEX.ZIP file. There can be several copies of the worm attached to the same e-mail.

The message body can also contain a random text file that the worm found on an infected hard drive.

The worm does not use Iframe exploit to run its file automatically on recipients' systems. Nowdays social engineering does not work as well as it used to work before, so the worm's spreading is quite limited as many users do not run unknown files that they receive in e-mails.



Detection


Detection of Galil worm is available since the following F-Secure Anti-Virus updates:

Detection Type: PC
Database: 2002-12-05_02



Technical Details:Alexey Podrezov; F-Secure Corp.; December 5th, 2002


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More