Gemel

Posted: March 28, 2006

Gemel is an Internet worm that spreads via ICQ messages and through file sharing networks using popular peer-to-peer softwares. The spyware removes several essential Windows components such as the Task Manager and System Configuration Utility. It erases the command.com file that is needed to boot some versions of Windows OS. Gemel creates infected files with meaningful names and drops them into shared folders of Kazaa, Grokster, Morpheus and ICQ applications. This is done in order to trick other users into downloading and running malicious files. The worm also attempts to create an infected executable on a floppy disk. Gemel runs on every Windows startup.

File System Modifications

The following files were created in the system:

# File Name

1 gedzac.exe

2 zacker.exe

#	File Name
1	gedzac.exe
2	zacker.exe

Registry Modifications

The following newly produced Registry Values are:
HKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionackerHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionGedzacHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRegisteredOrganization=GedzacHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRegisteredOrganization=ZackerHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRegisteredOwner=KuasanaguiHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRungedzacHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunzackerHKEY_LOCAL_MACHINESOFTWAREMicrosoftWinntCurrentVersionRegisteredOrganization=GedzacHKEY_LOCAL_MACHINESOFTWAREMicrosoftWinntCurrentVersionRegisteredOrganization=ZackerHKEY_LOCAL_MACHINESOFTWAREMicrosoftWinntCurrentVersionRegisteredOwner=Kuasanagui

Gemel

File System Modifications

Registry Modifications

Leave a Reply