McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• WORM_GORUM.A (Trend)

Characteristics

This threat is detected as New Worm with the 4150 DATs, or newer, when running with program heuristics enabled. The 4207 will detect this as W32/PetLil@MM.

When ran, if it is the 1st, 15th, 31st of the month. The worm will display a picture of a half-naked woman. On any other day, it will display a message box:

All addresses found in the Microsoft Outlook Address book are sent a message with the following information:

Subject: XXX Picture...
Body: A pretty girl waits for you. Click on attached file...

Attachment: XXXPic.exe

The worm copies itself to C:\XXXPic.exe. It also searches the Windows, Windows system, and My Documents directories for files with the extension .vbs, .htm, .doc, .xls, .bmp, .gif, .jpg, .pdf, or .js. If any files are found, it copies itself as the filename with an .exe extension. It adds a registry key entry for every file dropped:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Symptoms

Existence of C:\XXXPic.exe.

Method of Infection

This worm arrives as an email attachment. Manually executing this attachment causes the worm to send itself to all users in the Microsoft Outlook Address book using the MAPI protocol.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• WORM_GORUM.A (Trend)

Characteristics

Characteristics -

This threat is detected as New Worm with the 4150 DATs, or newer, when running with program heuristics enabled. The 4207 will detect this as W32/PetLil@MM.

When ran, if it is the 1st, 15th, 31st of the month. The worm will display a picture of a half-naked woman. On any other day, it will display a message box:

All addresses found in the Microsoft Outlook Address book are sent a message with the following information:

Subject: XXX Picture...
Body: A pretty girl waits for you. Click on attached file...

Attachment: XXXPic.exe

The worm copies itself to C:\XXXPic.exe. It also searches the Windows, Windows system, and My Documents directories for files with the extension .vbs, .htm, .doc, .xls, .bmp, .gif, .jpg, .pdf, or .js. If any files are found, it copies itself as the filename with an .exe extension. It adds a registry key entry for every file dropped:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Symptoms

Symptoms -

Existence of C:\XXXPic.exe.

Method of Infection

Method of Infection -

This worm arrives as an email attachment. Manually executing this attachment causes the worm to send itself to all users in the Microsoft Outlook Address book using the MAPI protocol.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A