需要修复电脑?
聘请专家
Alias: W32/Ganda@MM , Win32.Ganda.A
Type:Worm 
Size:45,056 bytes 
Origin:Sweden 
Date:03-17-2003 
Damage: 
VDF Version:6.18.00.16 
Danger:Medium 
Distribution:Low 

General DescriptionWorm/Ganda sends itself by email, using its own SMTP engine. So it does't need any email client program, like Outlook or Outlook Express. It collects email addresses found in files with extension .EML, .HTM, .HTML and in Windows Address Book. When the attachment is open, the worm copies itself in windows directory as Scandisk.exe and another .EXE file with random name (########.EXE) of 45,056 bytes.

The worm makes a registry entry to ensure it will be activated by the next system start:

HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run\.

Worm/Ganda infects the executable (.EXE) files on the local drive with its 567 bytes code. But these files can not infect further other files and will be functional afterwards.

When active, the worm can terminate running programs, such as antivirus or firewall applications.

Symptoms- it ends running processes, such as antivirus or firewall applications;
- the file SCANDISK.EXE (45,056 bytes) in %WinDir%;
- an identical 45,056 bytes file with a random name (8 characters +.EXE) in %WinDir%;
- the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\SS\Sent
HKEY_LOCAL_MACHINE\SOFTWARE\SS\Sent2

DistributionThe worm has its own SMTP engine and sends itself to all email addresses found on the infected computer.

Technical DetailsThe email sent by Worm/Ganda can have English or Swedish components. The Subject can consist in one of the following lines:
* Is USA always number one?
* LINUX.
* GO USA !!!!
* Nazi propaganda?
* Disgusting propaganda.
* Spy pics
* Screensaver advice
* Catlover.
* G.W Bush animation.
* Is USA a UFO?
* Olaglig_skrmslckare?
* Hakkors.
* Rashets eller inte?
* Suspekta semaforer.
* Avskyv rd_reklam.
* verviktiga_frnedras.
* Go ack ack ack....
* r_USA_ett_UFO?
* Korkad president.
* Katt, hund, kanin.

The Body of the email is one of these phrases:

* This screensaver animates the star spangled banner. Please support the US administration in their fight against terror. Thanx a lot!

* Some misguided people actually believe that an american life has a greater value than those of other nationalities. Just have a look at this pathetic screensaver and then you'll know what i'm talking about. All the best.

* Are you a windows user who is curious about the linux environment? This screensaver gives you a preview of the KDE and GNOME desktops. What's more, LINUX is a free system, meaning anyone can download it.

* This screensaver has been banned in Germany. It contains a number of animated symbols that can be related to the nazi culture. What do you think, is it a legitimate ban or not? Please answer asap. Thanx!

* Hello! My 12 year old doughter received this screensaver on a CDROM that was sent to her through advertising. I find it disturbing that children are now being targets of nazi organizations. I would appreciate to hear from you on this matter, as soon as possible. Thank you.

* Here's the screensaver i told you about. It contains pictures taken by one of
the US spy satellites during one of it's missions over iraq. If you want more of these pic's you know where you can find me. Bye!

* Have a look at this screensaver, and then tell me that George.W Bush is not an alien ;-)

* Here's the animation that the FBI wants to stop. Seems like the feds are trying to put an end to peoples right to say what they think of the US administration. Have fun!

* If you like cats you'll love this screensaver. It's four animated kittens running around on the screen. Contact me for more clipart. Have fun! ;-)

* Do you think this screensaver could be considered illegal? Would appreciate if you or any one of your friends could check it out and answer as soon as humanly possible. Thanx!

The Attachment is a combination of two random letters and the extension .SCR (eg QC.SCR or MQ.SCR).

When the attachment is opened, Worm/Ganda copies itself with a file size of 45,096 bytes in the following two directories:

* C:\<%WinDir%>\Scandisk.exe
* C:\<%WinDir%>\<random name>.exe (8 characters + .EXE)

and then it makes the registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"ScanDisk" = C:\WINNT\SCANDISK.exe

Worm/Ganda infects the windows .EXE files on the local drive with its 567 bytes code. But these files can not infect further other files and will be functional afterwards.

When the worm sends itself with by email, with an attachment, from the infected computer, it will make the registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\SS\Sent
HKEY_LOCAL_MACHINE\SOFTWARE\SS\Sent2

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following file:

* Scandisk.exe
* C:\<%WinDir%>\<random name>.exe (8 characters + .EXE)

Start "regedit" after that and edit the following registry entries:

*[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"ScanDisk" = C:\WINNT\SCANDISK.exe

* HKEY_LOCAL_MACHINE\SOFTWARE\SS\Sent

* HKEY_LOCAL_MACHINE\SOFTWARE\SS\Sent2

Restart your computer.

- for Windows 9x/ME:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* Scandisk.exe
* C:\<%WinDir%>\<random name>.exe (8 characters + .EXE)

Start "regedit" after that and edit the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"ScanDisk" = C:\WINNT\SCANDISK.exe

* HKEY_LOCAL_MACHINE\SOFTWARE\SS\Sent

* HKEY_LOCAL_MACHINE\SOFTWARE\SS\Sent2

Restart your computer.
说明添加者: Crony Walker 打开 2004年6月15日星期二

反馈 . . . .
https:// 为了你的安全,此窗口已加密。