Wednesday, July 1, 2009

Virus: Win32:Ganda

Win32:Ganda is an Internet worm which uses the social ingeneering to force the users to run the infected mail attachment.It also tries to suspend several antiviral and security programs, such as personal firewalls, on infected computer. It modifies executable files (.exe and .scr extensions) by adding a routine for Ganda's launch from a separate file. It spreads through e-mail. A part of infected mails uses "IFRAME vulnerability" of MS Internet Explorer for launching its mail attachment without user intervention. The worm creates the following files on infected computer:

%WINDOWS%\[8 random characters a-z].exe

In the registry, the worm creates inside the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run the following item:

The worm is launched from the registry at every computer start. Except this, it might be launched from the modified executables, it adds a code for launchig itself from the files in the %WINDOWS% folder to the executable files. The size of modified files is increased of 567 bytes.

Note: %WINDOWS% is a folder where the Windows system is installed. It's usually "C:\Windows" on Windows 95, 98 or ME, or "C:\WinNT" on Windows NT, 2000 or XP. Those folder names are default, but user can decide for any other name at Windows system instalation.

The worm tries suspend running services named:

f-secure, firewall, kaspersky, mcafee, norton, pc-cillin, sophos, symantec, trend micro, virus

The worm spread through email to addresses it founds in the Windows Address Book or in the files with .dbx, .eml or .htm extensions. Infected mails are either english or swedish, depending on the system language of infected computer. Infected mail have the following features: Subject line is either empty, or it's one of the following phrases (in the english version):

  • Catlover
  • Disgusting propaganda
  • GO USA !!!!
  • G.W Bush animation
  • Is USA a UFO?
  • Is USA always number one?
  • Nazi propaganda?
  • Screensaver advice
  • Spy pics

The attachment has size of 45056 bytes with random 2-letter name and scr extension.

The worm fakes sender address. It chooses message body randomly from 10 messages, either english and swedish.

Avast Viruses Info

No comments:

Post a Comment