March 20th, 2002, 04:34 PM
March 19 Alerts
Discovered on: March 19, 2002
Last Updated on: March 19, 2002 at 06:33:07 PM PST
W32.Atram@mm is a mass mailing worm that uses its own SMTP engine. Upon execution the worm will copy itself to "C:\WINDOWS\dllmgr.exe". It will also display 7 Message Boxes in Italian.
Also Known As: W32.Atram@mm, I-Worm.Borzella, Win32/Borzella.Worm, WORM_PORKIS.A, Win32.Storielle
Discovery Date: 03/18/2002
Length: Varies on target file, average size increase 6300
SubType: File Infector
The W32/Gemi virus is a direct infection virus. After running a single infected file, the virus will search all suitable files to infect on the local machine. Target files are 32 bit PE (Portable Executable) files, such as .EXE .DLL .SCR. The virus adds its code to the target files, usually at the end of the file. A string "gemini" is visible in these files.
The virus drops a file called "GEMINI.EXE" in the "\windows" directory. For example \windows\gemini.exe on win9x based systems, and \winnt\gemini.exe for Win2000 based systems.
During testing, the filesize of the dropped gemini.exe was 2788 bytes, but the actual filesize may be dependent on disk layout.
The viral process is visible in the task manager as "gemini".
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
March 20th, 2002, 06:53 PM
Thanks for the info zigar! Its always nice to come here and see up to date alerts from you. Especially the on the MS forum.