You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

GYMIZI.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

GYMIZI.A carries out the following annoying actions:

  • When users open the Internet Explorer browser:
    - It displays a animated image with a progress bar, as can be seen in the following image:


    - It modifies the window title of the browser, changing it to the following message:

  • If users attempt to open the Firefox browser, it will be immediately closed.
  • Then, it displays the following message:

  • And this other message indicating that the computer is going to be restarted:

  • Once the countdown has finished, the computer is restarted and the following screen is displayed:


    It is a screen modified by the worm in order to prevent users from starting the computer.
  • If the first option is selected, that is, the one that is already selected, the computer will be started.

Infection strategy 

GYMIZI.A creates a copy of itself called SVCHOST.EXE in the folder mizi, created by itself, in the Windows system directory. In this same folder it creates an AUTORUN.INF file, so that the copies of the worm are automatically run when they are accessed.

 

GYMIZI.A renames the BOOT.INI file of the root directory of the C: drive to BOOT.BAK and replaces it with its own BOOT.INI. By doing this, it modifies the message that is displayed when the system is restarted.

 

GYMIZI.A creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    windos = %sysdir%\mizi\svchost.exe
    where %sysdir% is the Windows system directory.
    By creating this entry, GYMIZI.A ensures that it is run whenever Windows is started.
  • HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{33D9A761-90C8-11D0-BD43-00A0C911CE86}

 

GYMIZI.A modifies the following entry from Windows Registry, in order to modify the text that is displayed in the Internet Explorer window title:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Lockdown_Zones\ 0
    DisplayName = Mi PC
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Internet Settings\ Lockdown_Zones\ 0
    DisplayName = HACK BY::<<GYMIE>>

Means of transmission 

GYMIZI.A spreads through removable drives, like USB keys. In order to do so, it creates an AUTORUN.INF file which points to a copy of the worm in the root directory of these drives. This way, the copy of the worm is automatically run when any of these drives is accessed.

Further Details  

GYMIZI.A is 235,216 bytes in size.