Virus Advisory issued for Worm/Ganda

Name: Worm/Ganda
Alias: I-Worm.Ganda
Type: Internet Worm, File Infector
Discovered: March 17, 2003
Size: 45.056KB
Platform: Microsoft Windows 9x/ME/NT/2000/XP

Worm/Ganda is an Internet worm that spreads through e-mail by using addresses it collects in the Microsoft Outlook Address Book, as well as, through email addresses it fnds in *.htm and *.html files. It uses it's own SMTP engine. The messages sent are in Swedish or in English, depending on the language settings of the infected computer.

The worm arrives through e-mail in the following format:

Subject: <random>

- Screensaver advice.
- Spy pics.
- GO USA !!!!
- G.W Bush animation.
- Is USA a UFO?
- Is USA always number one?
- LINUX.
- Nazi propaganda?
- Catlover.
- Disgusting propaganda.
- Olaglig skärmsläckar
- Rashets eller inte?
- Hakkors.
- Suspekta semaforer.
- Avskyvärd reklam.
- Överviktiga förnedra ...
- Go ack ack ack....
- Är USA ett UFO?
- Korkad president.
- Katt, hund, kanin.
- Myzli!

Body: <Random>
Attachment: <random>
So far in our testing, the filename is always short ("OC.SCR" or "PC.SCR").

If executed, the worm copies itself in the \windows\ directory under the filenames "Scandisk.exe" and "Qakuesia.exe".

So that it gets run each time a user restart their computer the following registry key gets added:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"ScanDisk"="C:\\WINDOWS\\SCANDISK.exe"

Worm/Ganda will then infect all *.EXE files on the local drive. The infected .EXE can not be used to infect other files if it is ran. These files can run as normal without any noticeable problems, there is no bad virulent code in this files. Next, it will try to kill processes belonging to several antivirus products.

The worm is currently under further analysis. The description will be updated when analysis is completed.