Kaspersky Labs documents the first return of a classical parasitic file infector virus in about two years. Like the CIH virus, it will attempt to infect as many EXE files as possible on the PC, plus download secondary viruses which can spread rapidly throughout an unpatched network. A single PC can have hundreds or even thousands of copies of this virus as it self replicates on the PC.
Gael/Tenga PE based Trojan - Links
Kaspersky Labs - Analyst's Commentary
Kaspersky Labs - Tenga.A Virus Description
McAfee Gael Worm Description
Symantec - Licum Virus Description
Trend - Tenga.A Virus Description
Tenga is a good old classic virus, where the main goal is to self-replicate as much as possible. Once your machine is infected, you can end up with hundreds of infected files, all of which will then attempt to download Trojan-Downloader.Win32.Small.bdc
When run, the worm infects .EXE files on the local system, appending itself to host files. 10 threads are created to search for infectable computers on the Internet, SYN packets are sent to random IP addresses on TCP 139 (netbios). The worm then attempts to connect to responding systems via the IPC$ and open shares to parasitically infect files remotely.
Full Version: Gael/Tenga - New Parasitic File Infector
Have they found a way to remove this virus yet.... because I recieved this virus a couple of days ago and my whole system is now being corrupt as we speak. I have been looking for the appropriate removal tool to delete this worm and repair all the files that it has corrupted.
A way to get rid of Gael Worm!
A lot of people keep seeing this nasty little virus virus pop up and assume they have not cleaned it thoroughly. If they are anything like me, then that is not the case. Any machine directly connected to the internet (ie not behind a router) has a true ip that can be seen from anywhere on the internet. In other words, if you go to whatismyip.com to get an ip, and then type "ipconfig" in the run box in the start menu, you will get the same ip. I'm betting that these will be the ones having repeated infections like i did.
The virus scanners we all use do a pretty good job. The problem is that this virus looks for shared folders. If you keep getting infected, I ask you, are your drives shared? Thats how it kept getting me. My first problem was that I used "share" as the name for a shared folder, a likely guess for an attacker. Anyways here's what you have to do to make your shared folders off-limits to this virus.
First of all, if you're using simple file sharing, you're asking for trouble. Turn it off as follows:
1. Double click "My Computer"
2. Tools -> Folder Options
3. Click the view tab
4. Scroll to the very bottom
5. Make sure that "use simple file sharing (recommended)" is UNCHECKED
You now can configure what people can do to your shared folder. Go to the directory that keeps having infected files pop up. If its icon has the hand under it, right click on it and select properties. If is not shared, check its parent directory.
click sharing
Click permissions
click on "everyone"
make sure "Change" is not checked
Click ok
Click the security tab
Click "Everyone"
Uncheck everything but "Read" and "List Folder Contents"
If you had to uncheck any boxes particularly "write", you probably just fixed your problem.
This will make it much harder to map to your shared folder, since the virus would have to know a username and password of someone that can log into your computer in order to connect. As soon as I realized I was giving write privledges to everyone I was kicking myself. I had been wondering why this thing kept popping up, since I never had time to run the EXE. Mcafee always got it the second it overwrote a file. Well it only overwrote files in my shared folder (of course I didn't share c:), and that is because the virus was never on my machine at all (not for more than a few seconds anyway). It was on somebody's computer who was too cheap to buy a virus scanner and it was getting to me through my shared folder. That is why every virus scanner said my drive was clean. But problem solved. I haven't seen a virus alert since i changed the permissions to read only. I bet it'll work for you too
If you want another computer to have full access to the shared folder, you need to map the share using an existing username and password, or you need to create a winows user on the computer with the shared drive (The new user need not be an administrator). Use the procedure just given but check the "full controll" boxes for this user. Then when you map the share use "connect using a different username and password" to specify the windows user you just added.
Anyways that was the "cleaning procedure" I used. It seems to have worked.
A lot of people keep seeing this nasty little virus virus pop up and assume they have not cleaned it thoroughly. If they are anything like me, then that is not the case. Any machine directly connected to the internet (ie not behind a router) has a true ip that can be seen from anywhere on the internet. In other words, if you go to whatismyip.com to get an ip, and then type "ipconfig" in the run box in the start menu, you will get the same ip. I'm betting that these will be the ones having repeated infections like i did.
The virus scanners we all use do a pretty good job. The problem is that this virus looks for shared folders. If you keep getting infected, I ask you, are your drives shared? Thats how it kept getting me. My first problem was that I used "share" as the name for a shared folder, a likely guess for an attacker. Anyways here's what you have to do to make your shared folders off-limits to this virus.
First of all, if you're using simple file sharing, you're asking for trouble. Turn it off as follows:
1. Double click "My Computer"
2. Tools -> Folder Options
3. Click the view tab
4. Scroll to the very bottom
5. Make sure that "use simple file sharing (recommended)" is UNCHECKED
You now can configure what people can do to your shared folder. Go to the directory that keeps having infected files pop up. If its icon has the hand under it, right click on it and select properties. If is not shared, check its parent directory.
click sharing
Click permissions
click on "everyone"
make sure "Change" is not checked
Click ok
Click the security tab
Click "Everyone"
Uncheck everything but "Read" and "List Folder Contents"
If you had to uncheck any boxes particularly "write", you probably just fixed your problem.
This will make it much harder to map to your shared folder, since the virus would have to know a username and password of someone that can log into your computer in order to connect. As soon as I realized I was giving write privledges to everyone I was kicking myself. I had been wondering why this thing kept popping up, since I never had time to run the EXE. Mcafee always got it the second it overwrote a file. Well it only overwrote files in my shared folder (of course I didn't share c:), and that is because the virus was never on my machine at all (not for more than a few seconds anyway). It was on somebody's computer who was too cheap to buy a virus scanner and it was getting to me through my shared folder. That is why every virus scanner said my drive was clean. But problem solved. I haven't seen a virus alert since i changed the permissions to read only. I bet it'll work for you too
If you want another computer to have full access to the shared folder, you need to map the share using an existing username and password, or you need to create a winows user on the computer with the shared drive (The new user need not be an administrator). Use the procedure just given but check the "full controll" boxes for this user. Then when you map the share use "connect using a different username and password" to specify the windows user you just added.
Anyways that was the "cleaning procedure" I used. It seems to have worked.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.