Proactive IT Security
 

W32/Ganda.A@mm

Threat risk

Threat risk low
Detection files published:
17 Mar 2003
Description created:
2003-03-17
Description updated:
2003-03-18
Malware type:
Virus
Alias:
Spreading mechanism
Email
Payload:
Terminates antivirus processes

Summary

This is an email virus which seems to originate in Sweden. It contains a lot of text in Swedish. The worm sends itself using it's own SMTP engine and is not dependant upon any mail program in particular.

Spreading description

Email characteristics:

Subject: Variable
Body: Variable; f.ex:

"Hello! My 12 year old doughter received this screensaver on a CDROM that was sent to her through advertising. I find it disturbing that children are now being targets of nazi organizations. I would appreciate to hear from you on this matter, as soon as possible. Thank you."

"Are you a windows user who is curious about the linux environment? This screensaver gives you a preview of the KDE and GNOME desktops. What's
more, LINUX is a free system, meaning anyone can download it."

"Some misguided people actually believe that an american life has a greater value than those of other nationalities. Just have a look at this pathetic screensaver and then you'll know what i'm talking about.
All the best."




Attachment: Variable, two character name with SCR extension
The virus contains several email bodies and subject fields it switches between. These are encrypted in the worm body. The language will be Swedish or English depening on language used on the infected PC.

When first executed it copies itself to the Windows directory under the name SCANDISK.EXE and another file with a random name; f.ex. DRFTHVJX.EXE. At the same time it infects many other executables with a small code stub which is supposed to start the virus from the file with random name.

The emails are sent to addresses picked from the Windows Address Book. The virus uses the mail server and address defined in the infected computers registry. If no mail server is found, it will attempt to use a server hardcoded in the virus.

During mail sending, a temporary file called TMPWORM.EXE will be created in the Windows directory.

It will create the following key to start automatically from bootup:

HKLM\Software\Microsoft\Windows\Run\ScanDisk = %WINDIR%\SCANDISK.exe

Another registry key is used to keep track of sent emails:
HKLM\Software\SS\Sent


Threat description

The worm attempts to enumerate and kill different antivirus processes.


Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Usage Title Comment
  Stopping network share infectors  
  Cleaning of back-up folders on Windows Me and XP  
Print page