Gaggle is a mass-mailing worm that infects HTML files, overwrites VBS files, configures Outlook Express to use an infected file for a signature, spreads via mIRC, and deletes system files.
It arrives in an email message in two forms:
- Embedded in an email message: the virus can exploit the old scriptlet.typelib/Eyedog vulnerability in Internet Explorer. When received in the body of an email message, the virus will automatically run upon viewing the infected message on a vulnerable system. The virus will then copy itself to the Start Up folder as an HTML application file, Gaghiel.hta. When this .HTA file is run, it performs the actions described below, when the .HTML version is run.
- As an email attachment: the virus can arrive in an email message containing the worm.
When the HTML virus attachment is accessed an ActiveX warning message may appear; if the user selects No, another message is displayed.
If the user allows the script to run, the virus checks for the presence of the .HTA versions of the worm in the Start Up folder. If it exists, the WININIT.INI file is configured to delete the HTA file upon restart. The writes a copies itself to the Windows directory as Gaghiel.html and Default.sfc, and the Windows System directory as Gaghiel.vbs and AngelDelMar.html. Two registry keys are created:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Gaghiel=C:\WINDOWS\SYSTEM\Gaghiel.vbs HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Domain Manager\Gaghiel=C:\WINDOWS\SYSTEM\Gaghiel.vbs
Each address in the Outlook address book is sent the virus using Microsoft Outlook and then logged in the registry:
HKEY_CURRENT_USER\Software\Microsoft\GHSetup\%recipient's name%= LCL
Microsoft Outlook Express is configured to send messages in HTML format, and to use the file %WinDir%\Gaghiel.html as the default stationary. Via Internet Relay Chat The virus creates a SCRIPT.INI file that uses mIRC to send itself to IRC user who join the channel of the infected user. A message is sent to the user: Message: Hola, Crees en lo Paranormal?, si no mira la pagina que te enviamos y visita www.gratisweb.com/[blocked] File: C:\WINDOWS\SYSTEM\AngeldelMar.html File infection The virus will append .ASP, .HTA, .HTM, and .HTML files while prepending the files with the text Gaghiel. The virus also overwrites all .VBS files. Payloads At random, the virus will delete files using the following extensions:
- TLB and
It also deletes the following files:
If the numbers of the month of the day added together are equal to thirty, the virus displays a message box; if the day of the month is greater than 25, the virus sets the default Internet Explorer start page to www.gratisweb.com\[blocked].