Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Gansip.A

Aliases:Virus.Win32.VB.mb (Kaspersky), W32.SillyFDC (Symantec), Worm:Win32/Gansip.A (Microsoft) 
Type of infiltration:Worm  
Size:188416 B 
Affected platforms:Microsoft Windows 
Signature database version:4986 (20100330) 

Short description

Win32/Gansip.A is a worm that spreads via removable media. The file is run-time compressed using UPX.

Installation

When executed, the worm creates the following files:
  • c:Info.Txt
  • c:infodoc.txt
  • c:Info Pisang Bakar.Txt (972 B)
  • c:Pisang Bakar.Exe (188416 B)
  • %system%SVGHOST.EXE (188416 B)
  • %windir%control32.ini (188416 B)
  • c:Info.Txt
  • c:infodoc.txt
  • c:Info Pisang Bakar.Txt (972 B)
  • c:Pisang Bakar.Exe (188416 B)
  • %system%SVGHOST.EXE (188416 B)
  • %windir%control32.ini (188416 B)
  • %windir%Winsetup.bat
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "systray32" = "%system%SVGHOST.EXE"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Winlogon]
    "Shell" = "%variable% C:WINDOWSsystem32SVGHOST.EXE"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Windows]
    "LOAD" = "%windir%Winsetup.bat"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Winlogon]
    "build" = "%infectiondate%"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    ExplorerAdvanced]
    "HideFileExt" = 1
    "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Windows]
    "LOAD" = "%windir%Winsetup.bat"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Winlogon]
    "build" = "%infectiondate%"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    ExplorerAdvanced]
    "HideFileExt" = 1
    "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsscanvirus.exe]
    "debugger" = "%windir%notepad.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsAntivirus.exe]
    "debugger" = "%windir%notepad.exe"
  • [HKEY_CLASSES_ROOTexefile]
    "(Default)" = "Winamp Media File"
A string with variable content is used instead of %variable%, %infectiondate%.

Spreading

The worm copies itself into existing folders of removable drives.

The worm creates the following folders:
  • %drive%Lagu baru
The following files may be dropped in the same folder:
  • Lucky Dube-West Papua.Exe (188416 B)
  • New Oyaba-Sweat Love.Exe (188416 B)
  • Slank-Hamadi Beach.Exe (188416 B)
  • Iwan Fals New-Manusia Setengah Jadi.Exe (188416 B)
  • Once-Dendam Vs Cinta.Exe (188416 B)
  • Marley-Bird Of Paradise.Exe (188416 B)
  • Lucky Dube-West Papua.Exe (188416 B)
  • New Oyaba-Sweat Love.Exe (188416 B)
  • Slank-Hamadi Beach.Exe (188416 B)
  • Iwan Fals New-Manusia Setengah Jadi.Exe (188416 B)
  • Once-Dendam Vs Cinta.Exe (188416 B)
  • Marley-Bird Of Paradise.Exe (188416 B)
  • Iwan Fals-Live Concert in Jayapura.Exe (188416 B)
The worm searches local drives for files with the following file extensions:
  • .mp3
When the worm finds a file matching the search criteria, it creates a new copy of itself.

The name of the new file is based on the name of the file found in the search. The extension of the file is ".exe".

Other information

The worm may create the following files in the C: folder:
  • Pisang Bakar.Jpg (2359350 B)
The worm terminates any program that creates a window containing any of the following strings in its name:
  • Computer Management
  • Deep Freeze 2000XP
  • Folder Options
  • I*n*d*o*prog v_i_rus s*c*a*n*ner
  • Process Explorer - Sysinternals: www.sysinternals.com
  • Registry Editor
  • Computer Management
  • Deep Freeze 2000XP
  • Folder Options
  • I*n*d*o*prog v_i_rus s*c*a*n*ner
  • Process Explorer - Sysinternals: www.sysinternals.com
  • Registry Editor
  • System Configuration Utility
  • TuneUp Registry Editor
  • User Accounts
  • Windows Task Manager
Win32/Gansip.A is a worm that overwrites the content of certain files with its own data.

The worm searches local drives for files with the following file extensions:
  • .ocx
  • .doc
  • .rtf
When the worm finds a file matching the search criteria, it overwrites its content with the following text:
Info Pisang Bakar
 
 
Sory kalu bikin kamu penasaran or marah-marah Virus juga bukan, bukan juga virus Virus ka... jangan ni..?????
Info Pisang Bakar
 
 
Sory kalu bikin kamu penasaran or marah-marah Virus juga bukan, bukan juga virus Virus ka... jangan ni..????? Me : Bukan..!, You : Virus....!, Me: Bukan...!, You :
Virus....! But.. I like that ! he...he... terserah apa katamu!
 
 
Ok... untuk teman-temanku: yang suka mandi di Kali Panta Kapal... Sio... kapan lagi
ah.... curi pisang di orang pu kebun, trus bakar, makan deng
kelapa bakar... yang pasti you are my best friend: Dharlin, Pa'Saf, Indra, Joko (Alm) and Alsor (Alm), dll
 
terakhir buat yang merasa.... ce ile... maksudnya yang merasa... Ganaaas skali.... de pu komputer
ada pesan ini! untuk kamu sory.... banget! tapi kamu harus tahu, bahwa virus ini mudah dihapus, karna Folder Option, Search, Run, dll sengaja tidak
disembunyikan. jadi jika anda berhasil menghapus virus ini, registry anda
akan tetap normal cara hilangkan virus buka di : www.pisangbakar.en.ak
 
 
PISANG BAKAR 1.0 Teminabuan Sept'07