I-Worm.Ganda
Ganda is a worm virus spreading via the Internet as an email attachment. It inserts its component into executable Win32 PE EXE files and protects itself against anti-virus programs.
The worm itself is a Windows PE EXE file that is 45056 bytes in size.
It is written in the Assembler programming language and contains the following
encrypted strings:
[WORM.SWEDENSUX] Coded by Uncle Roger in HÄrnÃsand,
Sweden, 03.03.
I am being discriminated by the swedish schoolsystem. This
is a response
to eight long years of discrimination.
I support animal-liberators worldwide.
The messages with the worm contain the text strings (secondary strings
may be ignored by E-mail programs):
--part1
Content-type: multipart/alternative; boundary="part2"
--part2
Content-type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Myzli!
--part2
Content-type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Massage body
--part2--
--part1
Content-type: application/octet-stream
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="xx.scr"
A title and a message body are selected from the following variants in English and in Swedish. The language chosen depends on a computer's language settings.
Swedish message variants:
Variant 1:
Title: =?iso-8859-1?Q?Olaglig_sk=E4rmsl=E4ckare=3F?=
Message body:
Hej!
Min son visade mig denna sk=E4rmsl=E4ckare som jag misst=E4nker
kan =
bryta mot lagen om hets mot folkgrupp. Eftersom du =E4r verksam
som =
jurist, s=E5 vore jag tacksam f=F6r en fackmans syn p=E5 saken.
Tack =
p=E5 f=F6rhand.
Variant 2:
Title: Rashets eller inte?
Message body:
Hejsan!
Min datal=E4rare gjorde mig uppm=E4rksam p=E5 att denna =
sk=E4rmsl=E4ckare m=F6jligen kan t=E4nkas vara ett verk av
rasister. Nu =
vet jag varken ut eller in, eftersom jag hade t=E4nkt anv=E4nda
den p=E5 =
min skoldator. B=F6r jag att forts=E4tta att anv=E4nda den?
Svara helst =
snarast.
Tack p=E5 f=F6rhand.
Variant 3:
Title: Hakkors.
Message body:
Hej!
Min klassf=F6rest=E5ndare gick i taket n=E4r hon fick se =
sk=E4rmsl=E4ckaren som jag har anv=E4nt under tv=E5 terminer.
Hon =
anklagade mig f=F6r antisemitism eftersom den ibland visar
ett hakkors. ='
Tycker du att jag b=F6r acceptera detta fr=E5n henne? Vore
tacksam f=F6r =
ett utl=E5tande fr=E5n dig. Svara helst s=E5 snart det g=E5r.
Variant 4:
Title: Suspekta semaforer.
Message body:
Hejsan !
I skolan hittade jag en CD skiva som inneh=F6ll bl.a denna
=
sk=E4rmsl=E4ckare. En l=E4rare som r=E5kade kasta ett =F6ga
p=E5 den =
avf=E4rdade dess inneh=E5ll som ren rasistisk propaganda.
Sj=E4lv tycker =
jag inte att det =E4r n=E5got att
orda om. Vore tacksam f=F6r din uppfattning. Tack p=E5 f=F6rhand.
Variant 5:
Title: =?iso-8859-1?Q?Avskyv=E4rd_reklam.?=
Message body:
Hej!
Min minder=E5rige son fick denna sk=E4rmsl=E4ckare p=E5 en
CD skiva via =
ett massutskick av reklam. Jag uppr=F6rs =F6ver det s=E4tt
p=E5 vilket =
rasistiska och nazistiska propagandister till=E5ts f=F6rmedla
sin =
avskyv=E4rda ideologitill barn. Jag =F6verv=E4ger nu att polisanm=E4la
detta tilltag s=E5 =
snart du, i egenskap av juridisk fackman, delgett mig din
=E5sikt. Tack =
p=E5 f=F6rhand.
Variant 6:
Title: =?iso-8859-1?Q?=D6verviktiga_f=F6rnedras.?=
Message body:
Hejsan !
Jag =F6verv=E4ger att polisanm=E4la denna sk=E4rmsl=E4ckare.
Jag anser =
att den har en nedl=E5tande attityd gentemot =F6verviktiga
personer. Jag =
skulle bli ytterst tacksam om du kunde bidra med din syn p=E5
saken.
Tack p=E5 f=F6rhand.
Variant 7:
Title: Go ack ack ack....
Message body:
Hej igen!
Den h=E4r sk=E4rmsl=E4ckaren verkar vara en amerikansk parodi
p=E5 =
n=E5got som svenskarna g=F6r p=E5 midsommar. Skratta inte
ihj=E4l dig =
bara. :-)
Variant 8:
Title: =?iso-8859-1?Q?=C4r_USA_ett_UFO=3F?=
Message body:
Hej igen!
H=E4r =E4r sk=E4rmsl=E4ckare nummer 4. Kolla in den och tala
sedan om =
f=F6r mig att George W Bush INTE =E4r en rymdvarelse. ;-)
Variant 9:
Title: Korkad president.
Message body:
Hej igen!
H=E4r =E4r sk=E4rmsl=E4ckaren som jag snackade om. George W
Bush verkar =
inte vara allf=F6r bright om man ska tro brittiska komiker.
'
:-)
Variant 10:
Title: Katt, hund, kanin.
Message body:
Hej igen!
Om du gillar djur s=E5 m=E5ste denna sk=E4rmsl=E4ckare vara
n=E5't f=F6r =
dig. Mjau, Voff, Arf Arf.... ;-)
English message variants:
Variant 1:
Title: Screensaver advice.
Message body:
Do you think this screensaver could be considered illegal?
Would =
appreciate if you or any one of your friends could check it
out and =
answer as soon as
humanly possible. Thanx !
Variant 2:
Title: Spy pics.
Message body:
Here's the screensaver i told you about. It contains pictures
taken by =
one of the US spy satellites during one of it's missions over
iraq. If =
you want more of these pic's you know where you can find me.
Bye!
Variant 3:
Title: GO USA !!!!
Message body:
This screensaver animates the star spangled banner. Please
support the =
US administration in their fight against terror. Thanx a lot!
Variant 4:
Title: G.W Bush animation.
Message body:
Here's the animation that the FBI wants to stop. Seems like
the feds are =
trying to put an end to peoples right to say what they think
of the US =
administration. Have fun!
Variant 5:
Title: Is USA a UFO?
Message body:
Have a look at this screensaver, and then tell me that George.W
Bush is =
not an alien. ;-)
Variant 6:
Title: Is USA always number one?
Message body:
Some misguided people actually believe that an american life
has a =
greater value than those of other nationalities. Just have
a look at =
this pathetic screensaver and then you'll know what i'm talking
about. =
All the best.
Variant 7:
Title: LINUX.
Message body:
Are you a windows user who is curious about the linux environment?
This =
screensaver gives you a preview of the KDE and GNOME desktops.
What's =
more, LINUX is a free system, meaning anyone can download
it.
Variant 8:
Title: Nazi propaganda?
Message body:
This screensaver has been banned in Germany. It contains a
number of =
animated symbols that can be related to the nazi culture.
What do you =
think, is it a legitimate ban or not? Please answer asap.
Thanx!
Variant 9:
Title: Catlover.
Message body:
If you like cats you'll love this screensaver. It's four animated
=
kittens running around on the screen. Contact me for more
clipart. Have =
fun! ;-)
Variant 10:
Title: Disgusting propaganda.
Message body:
Hello! My 12 year old doughter received this screensaver on
a CDROM that =
was sent to her through advertising. I find it disturbing
that children =
are now being targets of nazi organizations. I would appreciate
to hear =
from you on this matter, as soon as possible. Thank you.
The attachment file's name follows a system where the name is:
xx.scr (where 'XX' is two random letters ranging from 'a' to 'z')
The worm activates only if a user clicks on the infected attached
file. The worm then installs itself to the system and runs its spreading
routine and payload.
Installing
While installing the worm copies itself to the Windows directory
under the name SCANDISK.exe and registers this file in the system registry
auto-run key.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ScanDisk=\SCANDISK.exe
The worm also copies itself under a random name (8 characters long with letters ranging from 'a' to 'z'+ ".exe") to the Windows directory.
Spreading
To send out infected messages the worm uses the SMTP server. It
scans the WAB database and looks for files by mask: "*.eml", "*.*htm*",
" *.dbx" and scans for e-mail addresses inside these files.
The worm inserts its component into the following executable file types: Win32 PE EXE
The worm searches the local disk for all .EXE files and .SCR files
and looks for special commands. If such commands are found it inserts its
component into the last section of PE files. The worm also inserts the
JMP command inside PE files. The inserted component executes the main worm
body from the windows directory. The component code contains the following
strings:
KERNEL32.DLL
CreateProcessA GlobalAlloc GetWindowsDirectoryA SetCurrentDirectoryA
CreateProcessA
hvjxlzna.EXE
The Ganda worm defends itself against anti-virus programs. The worm
terminates active processes in code found to contain the following text
strings:
virus
firewall
f-secure
symantec
mcafee
pc-cillin
trend micro
kaspersky
sophos
norton
Ganda scans inside files from the system registry tree:
HKLM\System\CurrentControlSet\Services\VxD
and deletes entries for files with anti-virus strings. The worm also
scans inside files that pointed to by the registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
The Ganda worm inserts the RET command into the Entry Point of files found to have anti-virus strings.
Payloads
The worm sends out an email message each time it infects a machine,
the message contains the following characteristics:
From:
skrattahaha@hotmail.com
To:
red@fna.se
debatt@svt.se
susanne.sjostedt@tidningen.to
skolverket@skolverket.se
mary.martensson@aftonbladet.se
katarina.sternudd@aftonbladet.se
cecilia.gustavsson@aftonbladet.se
jessica.ritzen@aftonbladet.se
margareta.cronquist@tidningen.to
annika.sohlander@aftonbladet.se
kerstin.danielson@aftonbladet.se
insandare@tidningen.to
insandare@aftonbladet.se
The message title or subject is:
DISKRIMINERAD !!!!
The message body contains text written in the Swedish language.
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
190303/100904
