Operating System » MS Windows » Windows - Virus Protection » Alert: Computer Virus Outbreaks » Gammima Computer Virus

Gammima Computer Virus

On July 2008, the Gammima virus that was intended to steal passwords and send them to a remote server infected laptops in the International Space Station. And according to NASA, this wasn't the first infection.  This is not the first time we have had a worm or a virus. NASA downplayed the news, calling the virus mainly a nuisance that was on non-critical space station laptops used for things like e-mail and nutritional experiments.

How did it get aboard the spaceship? The International Space Station is a joint project of 15 countries, including the US, Canada, Russia and Japan. According to NASA, each partner maintains its own computer equipment according to a set of agreed-upon rules. This worm infected a Russian laptop used to run scientific experiments.  A cosmonauts on the International Space Station discovered a computer worm that had hitched a ride from Earth on a laptop.

When the Gammima worm executes, it creates the following files:

  • %System%kavo.exe
  • %System%kavo0.dll

The file kavo0.dll is then injected into all running processes.

It also creates the following file, which is a copy of Hacktool.Rootkit:

%Temp%[RANDOM FILE NAME].dll

The worm then copies itself to all drives from C through Z as the following file:

[DRIVE LETTER]:tdelect.com

It also creates the following file so that it executes whenever the drive is accessed:

[DRIVE LETTER]:autorun.inf

Next, the worm creates the following registry entry so that it executes whenever Windows starts:

HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Run"kava" = "%System%kavo.exe"

It then modifies the following registry entries:

  • HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Explorer Advanced Folder Hidden SHOWALL "CheckedValue" = "0"
  • HKEY_CURRENT_USER SOFTWARE Microsoft Windows CurrentVersion Explorer Advanced "Hidden" = "2"
  • HKEY_CURRENT_USER SOFTWARE Microsoft Windows CurrentVersion Explorer Advanced  "ShowSuperHidden" = "0"
  • HKEY_CURRENT_USER SOFTWARE Microsoft Windows CurrentVersion Pocilies Explorer "NoDriveTypeAutoRun" = "0x91"

The worm checks if it has been injected into any of the following processes:

  • zhengtu.dat
  • elementclient.exe
  • dekaron.exe
  • hyo.exe
  • wsm.exe and ybclient.exe
  • fairlyclient.exe
  • so3d.exe
  • maplestory.exe
  • r2client.exe
  • InphaseNXD.EXE

It then attempts to steal sensitive information for the following online games:

  • ZhengTu
  • Wanmi Shijie or Perfect World
  • Dekaron Siwan Mojie
  • HuangYi Online
  • Rexue Jianghu
  • ROHAN
  • Seal Online
  • Maple Story
  • R2 (Reign of Revolution)
  • Talesweaver

The worm ends the Matrix Password process if it finds a dialog box with the following characteristics:

Title: MatrixPasswordDlg

Message: Warning! (In Chinese characters)

Updated On: 08.08.29

Leave your message, comment or feedback:
Your Name (shown) & Your E-mail (hidden) is used only to alert you when someone reply your message.