Solutions for:
Home Products
Small Business
Medium Business
Enterprise
Vulnerabilities Threats
Home Threats Email-Worm Win32

Email-Worm.Win32.Ganda

Class
Email-Worm
Platform
Win32

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website). In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated. Email-Worms use a range of methods to send infected emails. The most common are: using a direct connection to a SMTP server using the email directory built into the worm’s code using MS Outlook services using Windows MAPI functions. Email-Worms use a number of different sources to find email addresses to which infected emails will be sent: the address book in MS Outlook a WAB address database .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses emails in the inbox (some Email-Worms even “reply” to emails found in the inbox) Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

Technical Details

Ganda is a worm virus spreading via the Internet as an email attachment. It inserts its component into executable Win32 PE EXE files and protects itself against anti-virus programs.

The worm itself is a Windows PE EXE file that is 45056 bytes in size. It is written in the Assembler programming language and contains the following encrypted strings: 

 [WORM.SWEDENSUX] Coded by Uncle Roger in H�rn�sand, Sweden, 03.03.
 I am being discriminated by the swedish schoolsystem. This is a response
 to eight long years of discrimination.
 I support animal-liberators worldwide.

The messages with the worm contain the text strings (secondary strings may be ignored by E-mail programs): 


 --part1
 Content-type: multipart/alternative; boundary="part2"

 --part2
 Content-type: text/plain; charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable

 Myzli!

 --part2
 Content-type: text/html; charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable

 
  Massage body
 

 --part2--

 --part1
 Content-type: application/octet-stream
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="xx.scr"

A title and a message body are selected from the following variants in English and in Swedish. The language chosen depends on a computer's language settings.

Swedish message variants:

Variant 1: 

 Title: =?iso-8859-1?Q?Olaglig_sk=E4rmsl=E4ckare=3F?=

 Message body:

 Hej!

 Min son visade mig denna sk=E4rmsl=E4ckare som jag misst=E4nker kan =
 bryta mot lagen om hets mot folkgrupp. Eftersom du =E4r verksam som =
 jurist, s=E5 vore jag tacksam f=F6r en fackmans syn p=E5 saken. Tack =
 p=E5 f=F6rhand.

Variant 2: 

 Title: Rashets eller inte?

 Message body:

 Hejsan!

 Min datal=E4rare gjorde mig uppm=E4rksam p=E5 att denna =
 sk=E4rmsl=E4ckare m=F6jligen kan t=E4nkas vara ett verk av rasister. Nu =
 vet jag varken ut eller in, eftersom jag hade t=E4nkt anv=E4nda den p=E5 =
 min skoldator. B=F6r jag att forts=E4tta att anv=E4nda den? Svara helst =
 snarast.
 Tack p=E5 f=F6rhand.

Variant 3: 

 Title: Hakkors.

 Message body:

 Hej!

 Min klassf=F6rest=E5ndare gick i taket n=E4r hon fick se =
 sk=E4rmsl=E4ckaren som jag har anv=E4nt under tv=E5 terminer. Hon =
 anklagade mig f=F6r antisemitism eftersom den ibland visar ett hakkors. ='
 Tycker du att jag b=F6r acceptera detta fr=E5n henne? Vore tacksam f=F6r =
 ett utl=E5tande fr=E5n dig. Svara helst s=E5 snart det g=E5r.

Variant 4: 

 Title: Suspekta semaforer.

 Message body:

 Hejsan !

 I skolan hittade jag en CD skiva som inneh=F6ll bl.a denna =
 sk=E4rmsl=E4ckare. En l=E4rare som r=E5kade kasta ett =F6ga p=E5 den =
 avf=E4rdade dess inneh=E5ll som ren rasistisk propaganda. Sj=E4lv tycker =
 jag inte att det =E4r n=E5got att
 orda om. Vore tacksam f=F6r din uppfattning. Tack p=E5 f=F6rhand.

Variant 5: 

 Title: =?iso-8859-1?Q?Avskyv=E4rd_reklam.?=

 Message body:

 Hej!

 Min minder=E5rige son fick denna sk=E4rmsl=E4ckare p=E5 en CD skiva via =
 ett massutskick av reklam. Jag uppr=F6rs =F6ver det s=E4tt p=E5 vilket =
 rasistiska och nazistiska propagandister till=E5ts f=F6rmedla sin =
 avskyv=E4rda ideologitill barn. Jag =F6verv=E4ger nu att polisanm=E4la detta tilltag s=E5 =
 snart du, i egenskap av juridisk fackman, delgett mig din =E5sikt. Tack =
 p=E5 f=F6rhand.

Variant 6: 

 Title: =?iso-8859-1?Q?=D6verviktiga_f=F6rnedras.?=

 Message body:

 Hejsan !

 Jag =F6verv=E4ger att polisanm=E4la denna sk=E4rmsl=E4ckare. Jag anser =
 att den har en nedl=E5tande attityd gentemot =F6verviktiga personer. Jag =
 skulle bli ytterst tacksam om du kunde bidra med din syn p=E5 saken.
 Tack p=E5 f=F6rhand.

Variant 7: 

 Title: Go ack ack ack....

 Message body:

 Hej igen!

 Den h=E4r sk=E4rmsl=E4ckaren verkar vara en amerikansk parodi p=E5 =
 n=E5got som svenskarna g=F6r p=E5 midsommar. Skratta inte ihj=E4l dig =
 bara. :-)

Variant 8: 

 Title: =?iso-8859-1?Q?=C4r_USA_ett_UFO=3F?=

 Message body:

 Hej igen!

 H=E4r =E4r sk=E4rmsl=E4ckare nummer 4. Kolla in den och tala sedan om =
 f=F6r mig att George W Bush INTE =E4r en rymdvarelse. ;-)

Variant 9: 

 Title: Korkad president.

 Message body:

 Hej igen!

 H=E4r =E4r sk=E4rmsl=E4ckaren som jag snackade om. George W Bush verkar =
 inte vara allf=F6r bright om man ska tro brittiska komiker. '
  :-)

Variant 10: 

 Title: Katt, hund, kanin.

 Message body:

 Hej igen!

 Om du gillar djur s=E5 m=E5ste denna sk=E4rmsl=E4ckare vara n=E5't f=F6r =
 dig. Mjau, Voff, Arf Arf.... ;-)

English message variants:

Variant 1: 

 Title: Screensaver advice.

 Message body:

 Do you think this screensaver could be considered illegal? Would =
 appreciate if you or any one of your friends could check it out and =
 answer as soon as
 humanly possible. Thanx !

Variant 2: 

 Title: Spy pics.

 Message body:

 Here's the screensaver i told you about. It contains pictures taken by =
 one of the US spy satellites during one of it's missions over iraq. If =
 you want more of these pic's you know where you can find me. Bye!

Variant 3: 

 Title: GO USA !!!!

 Message body:

 This screensaver animates the star spangled banner. Please support the =
 US administration in their fight against terror. Thanx a lot!

Variant 4: 

 Title: G.W Bush animation.

 Message body:

 Here's the animation that the FBI wants to stop. Seems like the feds are =
 trying to put an end to peoples right to say what they think of the US =
 administration. Have fun!

Variant 5: 

 Title: Is USA a UFO?

 Message body:

 Have a look at this screensaver, and then tell me that George.W Bush is =
 not an alien. ;-)

Variant 6: 

 Title: Is USA always number one?

 Message body:

 Some misguided people actually believe that an american life has a =
 greater value than those of other nationalities. Just have a look at =
 this pathetic screensaver and then you'll know what i'm talking about. =
 All the best.

Variant 7: 

 Title: LINUX.

 Message body:

 Are you a windows user who is curious about the linux environment? This =
 screensaver gives you a preview of the KDE and GNOME desktops. What's =
 more, LINUX is a free system, meaning anyone can download it.

Variant 8: 

 Title: Nazi propaganda?

 Message body:

 This screensaver has been banned in Germany. It contains a number of =
 animated symbols that can be related to the nazi culture. What do you =
 think, is it a legitimate ban or not? Please answer asap. Thanx!

Variant 9: 

 Title: Catlover.

 Message body:

 If you like cats you'll love this screensaver. It's four animated =
 kittens running around on the screen. Contact me for more clipart. Have =
 fun! ;-)

Variant 10: 

 Title: Disgusting propaganda.

 Message body:

 Hello! My 12 year old doughter received this screensaver on a CDROM that =
 was sent to her through advertising. I find it disturbing that children =
 are now being targets of nazi organizations. I would appreciate to hear =
 from you on this matter, as soon as possible. Thank you.

The attachment file's name follows a system where the name is:

xx.scr (where 'XX' is two random letters ranging from 'a' to 'z')

The worm activates only if a user clicks on the infected attached file. The worm then installs itself to the system and runs its spreading routine and payload.

Installing
While installing the worm copies itself to the Windows directory under the name SCANDISK.exe and registers this file in the system registry auto-run key. 

 HKLMSoftwareMicrosoftWindowsCurrentVersionRun
 ScanDisk=SCANDISK.exe

The worm also copies itself under a random name (8 characters long with letters ranging from 'a' to 'z'+ ".exe") to the Windows directory.

Spreading
To send out infected messages the worm uses the SMTP server. It scans the WAB database and looks for files by mask: "*.eml", "*.*htm*", " *.dbx" and scans for e-mail addresses inside these files.

The worm inserts its component into the following executable file types: Win32 PE EXE

The worm searches the local disk for all .EXE files and .SCR files and looks for special commands. If such commands are found it inserts its component into the last section of PE files. The worm also inserts the JMP command inside PE files. The inserted component executes the main worm body from the windows directory. The component code contains the following strings: 


 KERNEL32.DLL 
 CreateProcessA  GlobalAlloc GetWindowsDirectoryA SetCurrentDirectoryA 
 CreateProcessA 
 hvjxlzna.EXE

The Ganda worm defends itself against anti-virus programs. The worm terminates active processes in code found to contain the following text strings: 


 virus 
 firewall 
 f-secure 
 symantec 
 mcafee 
 pc-cillin 
 trend micro 
 kaspersky 
 sophos 
 norton

Ganda scans inside files from the system registry tree: 

 HKLMSystemCurrentControlSetServicesVxD

and deletes entries for files with anti-virus strings. The worm also scans inside files that pointed to by the registry keys: 

 HKLMSoftwareMicrosoftWindowsCurrentVersionRun     
 HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices

The Ganda worm inserts the RET command into the Entry Point of files found to have anti-virus strings.

Payloads
The worm sends out an email message each time it infects a machine, the message contains the following characteristics: 

From:

 skrattahaha@hotmail.com

To:

 red@fna.se
 debatt@svt.se
 susanne.sjostedt@tidningen.to
 skolverket@skolverket.se
 mary.martensson@aftonbladet.se
 katarina.sternudd@aftonbladet.se
 cecilia.gustavsson@aftonbladet.se
 jessica.ritzen@aftonbladet.se
 margareta.cronquist@tidningen.to
 annika.sohlander@aftonbladet.se
 kerstin.danielson@aftonbladet.se
 insandare@tidningen.to
 insandare@aftonbladet.se

The message title or subject is: 

DISKRIMINERAD !!!!

The message body contains text written in the Swedish language.

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Related articles
30 April 2024
Securelist
Managed Detection and Response in 2023
24 April 2024
Securelist
Assessing the Y, and How, of the XZ Utils incident
22 April 2024
Securelist
ToddyCat is making holes in your infrastructure
18 April 2024
Securelist
DuneQuixote campaign targets Middle Eastern entities with “CR4T” malware
17 April 2024
Securelist
SoumniBot: the new Android banker’s unique techniques
15 April 2024
Securelist
Using the LockBit builder to generate targeted ransomware
Found an inaccuracy in the description of this vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Found a new Threat or Vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Solutions for
Home Products
Small Business
Medium Business
Enterprise
Select language
Sorting
Threat
Confirm changes?
Your message has been sent successfully.