The following has been derived from information provided by F-Secure, Kaspersky Labs and Symantec.

Virus Characteristics

W32.Gismor@mm uses its own SMTP engine to send itself to email addresses that it finds in the infected systems mailbox. Infected messages will arrive with the following characteristics:

From: "MP3 Deluxe"

To: "My best friends"

Subject: "Phenomenal"

Attachment: "MP3Player.exe"

Please note that this message does not contain a body.

Upon execution, this worm copies itself to the WINDOWS directory as SSMS.EXE. It will then modify the following registry key to execute itself at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
" SSMS.EXE "

The worm propagates by automatically replying with a copy of itself to all incoming messages in a MAPI mailbox. It will attempt to use local settings to find an SMTP server, or " mail.gmx.net ".

Finally, the worm attempts to delete all files with the following extensions:

.DOC
.XLS
.MP3
.MDB
.HTM
.ASP
.DBF
.CPP
.RTF
.WAV


Payload

Mass Mailing routine.
Deletes Files.
Modifies Registry.


Preventative Measures

Block all incoming attachments with executable (EXE) extensions at the message gateway where possible.


Fixes Available

Network Associates: No information at time of alert.

Symantec:
Virus Definitions (Intelligent Updater): September 6, 2002
Virus Definitions (LiveUpdate): September 11, 2002

Trend: No information at time of alert.