Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Ganelp.abu
Date discovered:22/09/2011
Type:Worm
In the wild:No
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Low
Static file:No
VDF version:7.11.15.08 - Thursday, September 22, 2011
IVDF version:7.11.15.08 - Thursday, September 22, 2011

 General Aliases:
   •  TrendMicro: WORM_GANELP.SMIA
   •  Microsoft: Worm:Win32/Ganelp.gen!A
   •  Sunbelt: Worm.Win32.Ganelp.b
   •  Authentium: W32/Agent.KI.gen!Eldorado
   •  DrWeb: Trojan.Proxy.19660
   •  Norman: Worm W32/Ganelp.A


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Third party control
   • Drops a file
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %PROGRAM FILES%\846c0ca6\jusched.exe



The following file is created:

%WINDIR%\Tasks\Update23.job File is a scheduled task that runs the malware at predefined times.

 Registry The values of the following registry keys are removed:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%PROGRAM FILES%\J8"
   • "%PROGRAM FILES%\J9"
   • "%PROGRAM FILES%\J10"
   • "%PROGRAM FILES%\J11"
   • "%PROGRAM FILES%\J12"
   • "%PROGRAM FILES%\J13"
   • "%PROGRAM FILES%\J14"
   • "%PROGRAM FILES%\J15"
   • "%PROGRAM FILES%\J16"
   • "%PROGRAM FILES%\J17"
   • "%PROGRAM FILES%\J18"
   • "%PROGRAM FILES%\J19"
   • "%PROGRAM FILES%\J20"
   • "%PROGRAM FILES%\J21"

–  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%PROGRAM FILES%\J8"
   • "%PROGRAM FILES%\J9"
   • "%PROGRAM FILES%\J10"
   • "%PROGRAM FILES%\J11"
   • "%PROGRAM FILES%\J12"
   • "%PROGRAM FILES%\J13"
   • "%PROGRAM FILES%\J14"
   • "%PROGRAM FILES%\J15"
   • "%PROGRAM FILES%\J16"
   • "%PROGRAM FILES%\J17"
   • "%PROGRAM FILES%\J18"
   • "%PROGRAM FILES%\J19"
   • "%PROGRAM FILES%\J20"
   • "%PROGRAM FILES%\J21"



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%PROGRAM FILES%\846c0ca6\jusched.exe"="%PROGRAM
      FILES%\846c0ca6\jusched.exe"



The following registry keys are changed:

Lower security settings from Internet Explorer:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   ZoneMap]
   New value:
   • "ProxyByPass"=dword:00000001
   • "IntranetName"=dword:00000001
   • "UNCAsIntranet"=dword:00000001

 Backdoor Contact server:
One of the following:
   • ftp://ftp.byethost12.com
   • ftp://griptoloji.host-ed.net
   • ftp://ftp.tripod.com

As a result it may send information and remote control could be provided.

Sends information about:
    • Information about the Windows operating system

Description inserted by Andrei Ivanes on Tuesday, January 24, 2012
Description updated by Andrei Ivanes on Tuesday, January 24, 2012

Back . . . .