The following has been derived from information provided by Computer Associates, NAI, and Symantec.

Virus Characteristics

W32.Gaze requires the .NET framework be installed and Microsoft Outlook in order to propagate. It spreads by sending messages to all contacts of the Outlook Address Book. It will arrive with the following characteristics:

Subject: faze

Body: How are you today?

Attachment: GAME.EXE (8,192 bytes)

This worm will not do anything if the .NET framwork is not installed and the following path does not exist: "C:\WINNT\SYSTEM32".

When GAME.EXE is executed, it tries to make a copy of itself in the WINNT\SYSTEM32 directory. It will also drop a Visual Basic Script mass mailing component named MAIL.VBS to the same location. The worm attempts to create the following registry key to execute at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
"msdosie" = "C:\WINNT\SYSTEM32\GAME.EXE"


Payload

This worm will mail itself to all contacts in the Outlook Address Book.
It modifies a registry key to launch itself at startup.


Preventative Measures

Block all executable (EXE) attachments at the gateway where possible.


Fixes Available

Network Associates:
Minimum DAT: 4232
Release Date: 11/06/2002
Minimum Engine: 4.1.60

Symantec:
Virus Definitions (Intelligent Updater) October 31, 2002
Virus Definitions (LiveUpdate) November 6, 2002