Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Ganda.A

This worm spreads as a file in the attachment of electronic mail messages. The length of the file with worm is 45056 bytes. It attacks computers with operating systems Windows 95/98/ME/NT/2000/XP.

The worm arrives in an e-mail message having one of following subjects:

DISKRIMINERAD !!!!
Olaglig_skärmsläckare?
Rashets eller inte?
Hakkors.
Suspekta semaforer.
Avskyvärd_reklam.
Överviktiga_förnedras.
Go ack ack ack....
Är_USA_ett_UFO?
Korkad president.
Katt, hund, kanin.
Screensaver advice.
Spy pics.
GO USA !!!!
G.W Bush animation.
Is USA a UFO?
Is USA always number one?
LINUX.
Nazi propaganda?
Catlover.
Disgusting propaganda.

In the attachment there is a file with worm having name consisting of two randomly chosen letters. This file has always SCR extension. The text in the body of the message of above given subjects is chosen from twenty available options. The language of the message subject and body is always identical.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation.

After the worm is run it copies itself into the directory %windir% under the name scandisk.exe and randomly generated name consisting of eight characters. The second file has the EXE extension, too. After restarting the operation system the worm assures its activation by creation of an item ScanDisk in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. It sets the item value to its copy in the directory %windir% named scandisk.exe.
The worm deactivates processes with names containing strings virus firewall, f-secure, symantec, mcafee, pc-cillin, trend micro, kaspersky, sophos and norton.
Win32/Ganda.A modifies the executable files having extensions EXE and SRC inserting short code causing the activation of the copy of the worm from the directory %windir%.
The worm acquires addresses for its spreading from Windows Address Book (the files with extension WAB) and from files having extension EML, HTM, HTML or DBX.

NOD32 detects Win32/Ganda.A from the version 1.378.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.