By Do Manh Dzung, Senior Malware Researcher – Bkis
On April 22 2009, Bkis Honeypot system discovered a new worm, which we named W32.Gaptcha.Worm. The worm automatically signs up and creates random Gmail accounts for spamming purposes. To do so, it must be able to break Google’s CAPTCHA first. Gaptcha continuously creates Gmail accounts and sends registered accounts to hackers until Gmail blocks the infected machine’s IP. It then removes itself from the system.
Once your computer gets infected with this worm, you will see IE windows automatically appear. You will then see the whole automatic Gmail accounts registering process by the worm. After that you will not be able to sign up for new Gmail account as your computer will have been blocked by Gmail.
Size: 82 kb
Discovered date: April 22, 2009
The attack process by W32.Gaptcha.Worm:
1. Connects to server clitcommander.110mb.com to check Internet connection and server connection. If it fails to connect to the server or if there is no Internet connection, moves to step 9.
2. Runs IE by InternetExplorer.Application command, automatically connects to https://www.google.com/accounts/NewAccount?service=mail to create new account.
3. Fill in the fields:
a. FirstName: Randomly takes these following names: Emily, Isabella, etc.
b. LastName: Randomly takes Smith, Johnson, etc.
4. Looks for CAPTCHA, downloads to TEPM folder, sends to server: ac-service.info for image processing then retrieves the information to bypass CAPTCHA.
5. Finishes registration.
6. Runs IE, logs on the Gmail account it has just created, changes setting Enable POP. Edits field: Forwart as Copy : u6j3y1iknj @my-private-email.biz.
7. Sends information about the Gmail account it has just created to hacker at clitcommander.110mb.com.
8. Repeats step 2.
9. Creates .bat file to remove itself.
We have updated signature for removing W32.Gaptcha.Worm in our free tool: BkavHome. You can download BkavHome here.