Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gael/Tenga - New Parasitic File Infector


  • Please log in to reply
2 replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:01:33 PM

Posted 23 July 2005 - 07:40 AM

Kaspersky Labs documents the first return of a classical parasitic file infector virus in about two years. Like the CIH virus, it will attempt to infect as many EXE files as possible on the PC, plus download secondary viruses which can spread rapidly throughout an unpatched network. A single PC can have hundreds or even thousands of copies of this virus as it self replicates on the PC.

Gael/Tenga PE based Trojan - Links

Kaspersky Labs - Analyst's Commentary

Kaspersky Labs - Tenga.A Virus Description

McAfee Gael Worm Description

Symantec - Licum Virus Description

Trend - Tenga.A Virus Description

Tenga is a good old classic virus, where the main goal is to self-replicate as much as possible. Once your machine is infected, you can end up with hundreds of infected files, all of which will then attempt to download Trojan-Downloader.Win32.Small.bdc

When run, the worm infects .EXE files on the local system, appending itself to host files. 10 threads are created to search for infectable computers on the Internet, SYN packets are sent to random IP addresses on TCP 139 (netbios). The worm then attempts to connect to responding systems via the IPC$ and open shares to parasitically infect files remotely.

BC AdBot (Login to Remove)

 


#2 gnostica

gnostica

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 28 July 2005 - 07:42 PM

Have they found a way to remove this virus yet.... because I recieved this virus a couple of days ago and my whole system is now being corrupt as we speak. I have been looking for the appropriate removal tool to delete this worm and repair all the files that it has corrupted.

#3 nitrojunkie

nitrojunkie

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 12 January 2006 - 11:01 AM

A way to get rid of Gael Worm!

A lot of people keep seeing this nasty little virus virus pop up and assume they have not cleaned it thoroughly. If they are anything like me, then that is not the case. Any machine directly connected to the internet (ie not behind a router) has a true ip that can be seen from anywhere on the internet. In other words, if you go to whatismyip.com to get an ip, and then type "ipconfig" in the run box in the start menu, you will get the same ip. I'm betting that these will be the ones having repeated infections like i did.

The virus scanners we all use do a pretty good job. The problem is that this virus looks for shared folders. If you keep getting infected, I ask you, are your drives shared? Thats how it kept getting me. My first problem was that I used "share" as the name for a shared folder, a likely guess for an attacker. Anyways here's what you have to do to make your shared folders off-limits to this virus.

First of all, if you're using simple file sharing, you're asking for trouble. Turn it off as follows:
1. Double click "My Computer"
2. Tools -> Folder Options
3. Click the view tab
4. Scroll to the very bottom
5. Make sure that "use simple file sharing (recommended)" is UNCHECKED

You now can configure what people can do to your shared folder. Go to the directory that keeps having infected files pop up. If its icon has the hand under it, right click on it and select properties. If is not shared, check its parent directory.


click sharing
Click permissions
click on "everyone"
make sure "Change" is not checked

Click ok
Click the security tab
Click "Everyone"
Uncheck everything but "Read" and "List Folder Contents"

If you had to uncheck any boxes particularly "write", you probably just fixed your problem.

This will make it much harder to map to your shared folder, since the virus would have to know a username and password of someone that can log into your computer in order to connect. As soon as I realized I was giving write privledges to everyone I was kicking myself. I had been wondering why this thing kept popping up, since I never had time to run the EXE. Mcafee always got it the second it overwrote a file. Well it only overwrote files in my shared folder (of course I didn't share c:), and that is because the virus was never on my machine at all (not for more than a few seconds anyway). It was on somebody's computer who was too cheap to buy a virus scanner and it was getting to me through my shared folder. That is why every virus scanner said my drive was clean. But problem solved. I haven't seen a virus alert since i changed the permissions to read only. I bet it'll work for you too


If you want another computer to have full access to the shared folder, you need to map the share using an existing username and password, or you need to create a winows user on the computer with the shared drive (The new user need not be an administrator). Use the procedure just given but check the "full controll" boxes for this user. Then when you map the share use "connect using a different username and password" to specify the windows user you just added.

Anyways that was the "cleaning procedure" I used. It seems to have worked.

:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users