Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Ganda.A@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Terminates antivirus processes
Detection files published 16 Mar 2003 03:00:00
Description created 17 Mar 2003 09:17:00
Description updated 18 Mar 2003 12:27:00
Malware type VIRUS
Alias
Spreading mechanism EMAIL
Summary None

W32/Ganda.A@mm

Spreading

The virus contains several email bodies and subject fields it switches between. These are encrypted in the worm body. The language will be Swedish or English depening on language used on the infected PC.When first executed it copies itself to the Windows directory under the name SCANDISK.EXE and another file with a random name; f.ex. DRFTHVJX.EXE. At the same time it infects many other executables with a small code stub which is supposed to start the virus from the file with random name. The emails are sent to addresses picked from the Windows Address Book. The virus uses the mail server and address defined in the infected computers registry. If no mail server is found, it will attempt to use a server hardcoded in the virus.During mail sending, a temporary file called TMPWORM.EXE will be created in the Windows directory.It will create the following key to start automatically from bootup:HKLM\Software\Microsoft\Windows\Run\ScanDisk = %WINDIR%\SCANDISK.exeAnother registry key is used to keep track of sent emails:HKLM\Software\SS\Sent

Payload Details

The worm attempts to enumerate and kill different antivirus processes.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:10