Win32/Galil.A

Win32/Galil.A is a worm spreading in the form of an email file attachment.  It is written in Visual Basic and compressed with UPX.  The size of the worm is 80 626 bytes.

The worm arrives with the message containing subject "Fwd: Crazy illegal Sex".  In the attachment of such a message there is a file iLLeGaL.exe.  The following text is in the body of the message:

Hii

Is it really illegal in da USA?
who knows :P
If u have a weak heart i warn u
DON'T see dis Clip.
Emagine two young children havin
crazy sex fo da first time togetha !
oooool i'm still wonderin where thier
parents were?

Good Fuck , oh sorry :">
i mean Good Luck ;)

Bye

After the fileiLLeGaL.exe is running the worm Win32/Galil.A is activated resulting in the opening of following animated window:

After the animation is completed the following window is displayed:

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation.

The worm is copied into the directory %windir%/System under the name iLLeGaL.exe.  At the same time it creates in this directory files Mplayer.exe and SMTP.OCX.  It also creates an item iLLeGaL in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices having value "C:\%windir%\SYSTEM\Mplayer.exe". This key assures that the worm will run after the system reboots.

When worm's activity is completed it sends the email message with its copy to all acquired addresses.  In the body of the worm there is also text, probably the signature of author:

Made By ZaCker

In the body of the worm there is a code capable of deleting the content of D:, E:, F: a G: drives.

PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE