By Do Manh Dzung, Senior Malware Researcher – Bkis

On April 22 2009, Bkis Honeypot system discovered a new worm, which we named W32.Gaptcha.Worm. The worm automatically signs up and creates random Gmail accounts for spamming purposes. To do so, it must be able to break Google’s CAPTCHA first. Gaptcha continuously creates Gmail accounts and sends registered accounts to hackers until Gmail blocks the infected machine’s IP. It then removes itself from the system.

Once your computer gets infected with this worm, you will see IE windows automatically appear. You will then see the whole automatic Gmail accounts registering process by the worm. After that you will not be able to sign up for new Gmail account as your computer will have been blocked by Gmail.

Worm description:

Name: W32.Gaptcha.Worm

Size: 82 kb

Discovered date: April 22, 2009

Severity: Medium

The attack process by W32.Gaptcha.Worm:

1.     Connects to server to check Internet connection and server connection. If it fails to connect to the server or if there is no Internet connection, moves to step 9.

2.    Runs IE by InternetExplorer.Application command, automatically connects to to create new account.


3.     Fill in the fields:

a.     FirstName: Randomly takes these following names: Emily, Isabella, etc.

b.    LastName: Randomly takes Smith, Johnson, etc.


4.     Looks for CAPTCHA, downloads to TEPM folder, sends to server:  for image processing then retrieves the information to bypass CAPTCHA.

5.     Finishes registration.


6.     Runs IE, logs on the Gmail account it has just created, changes setting Enable POP. Edits field: Forwart as Copy : u6j3y1iknj


7.     Sends information about the Gmail account it has just created to hacker at

8.     Repeats step 2.

9.     Creates .bat file to remove itself.

We have updated signature for removing W32.Gaptcha.Worm in our free tool: BkavHome. You can download BkavHome here.

Leave a Reply

Name (required)
Mail (hidden) (required)
Text to Identify

Popup Date Time Portlet

Blogs Aggregator

Recent Posts

Blog Category Portlet


Store Portlet


Vote Baby Portlet