Virus Database

V.625

Description V.625

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus does not manifest itself in any way, and it has not any string to name it.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Ganda

Description I-Worm.Ganda
Ganda is a worm virus spreading via the Internet as an email attachment. It inserts its component into executable Win32 PE EXE files and protects itself against anti-virus programs.
The worm itself is a Windows PE EXE file that is 45056 bytes in size. It is written in the Assembler programming language and contains the following encrypted strings:
[WORM.SWEDENSUX] Coded by Uncle Roger in HÄrnÃsand, Sweden, 03.03.
I am being discriminated by the swedish schoolsystem. This is a response
to eight long years of discrimination.
I support animal-liberators worldwide.

The messages with the worm contain the text strings (secondary strings may be ignored by E-mail programs):

--part1
Content-type: multipart/alternative; boundary="part2"

--part2
Content-type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Myzli!

--part2
Content-type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Massage body


--part2--

--part1
Content-type: application/octet-stream
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="xx.scr"

A title and a message body are selected from the following variants in English and in Swedish. The language chosen depends on a computer's language settings.
Swedish message variants:
Variant 1:
Title: =?iso-8859-1?Q?Olaglig_sk=E4rmsl=E4ckare=3F?=

Message body:

Hej!

Min son visade mig denna sk=E4rmsl=E4ckare som jag misst=E4nker kan =
bryta mot lagen om hets mot folkgrupp. Eftersom du =E4r verksam som =
jurist, s=E5 vore jag tacksam f=F6r en fackmans syn p=E5 saken. Tack =
p=E5 f=F6rhand.

Variant 2:
Title: Rashets eller inte?

Message body:

Hejsan!

Min datal=E4rare gjorde mig uppm=E4rksam p=E5 att denna =
sk=E4rmsl=E4ckare m=F6jligen kan t=E4nkas vara ett verk av rasister. Nu =
vet jag varken ut eller in, eftersom jag hade t=E4nkt anv=E4nda den p=E5 =
min skoldator. B=F6r jag att forts=E4tta att anv=E4nda den? Svara helst =
snarast.
Tack p=E5 f=F6rhand.

Variant 3:
Title: Hakkors.

Message body:

Hej!

Min klassf=F6rest=E5ndare gick i taket n=E4r hon fick se =
sk=E4rmsl=E4ckaren som jag har anv=E4nt under tv=E5 terminer. Hon =
anklagade mig f=F6r antisemitism eftersom den ibland visar ett hakkors. ='
Tycker du att jag b=F6r acceptera detta fr=E5n henne? Vore tacksam f=F6r =
ett utl=E5tande fr=E5n dig. Svara helst s=E5 snart det g=E5r.

Variant 4:
Title: Suspekta semaforer.

Message body:

Hejsan !

I skolan hittade jag en CD skiva som inneh=F6ll bl.a denna =
sk=E4rmsl=E4ckare. En l=E4rare som r=E5kade kasta ett =F6ga p=E5 den =
avf=E4rdade dess inneh=E5ll som ren rasistisk propaganda. Sj=E4lv tycker =
jag inte att det =E4r n=E5got att
orda om. Vore tacksam f=F6r din uppfattning. Tack p=E5 f=F6rhand.

Variant 5:
Title: =?iso-8859-1?Q?Avskyv=E4rd_reklam.?=

Message body:

Hej!

Min minder=E5rige son fick denna sk=E4rmsl=E4ckare p=E5 en CD skiva via =
ett massutskick av reklam. Jag uppr=F6rs =F6ver det s=E4tt p=E5 vilket =
rasistiska och nazistiska propagandister till=E5ts f=F6rmedla sin =
avskyv=E4rda ideologitill barn. Jag =F6verv=E4ger nu att polisanm=E4la detta tilltag s=E5 =
snart du, i egenskap av juridisk fackman, delgett mig din =E5sikt. Tack =
p=E5 f=F6rhand.

Variant 6:
Title: =?iso-8859-1?Q?=D6verviktiga_f=F6rnedras.?=

Message body:

Hejsan !

Jag =F6verv=E4ger att polisanm=E4la denna sk=E4rmsl=E4ckare. Jag anser =
att den har en nedl=E5tande attityd gentemot =F6verviktiga personer. Jag =
skulle bli ytterst tacksam om du kunde bidra med din syn p=E5 saken.
Tack p=E5 f=F6rhand.

Variant 7:
Title: Go ack ack ackall.

Message body:

Hej igen!

Den h=E4r sk=E4rmsl=E4ckaren verkar vara en amerikansk parodi p=E5 =
n=E5got som svenskarna g=F6r p=E5 midsommar. Skratta inte ihj=E4l dig =
bara. :-)

Variant 8:
Title: =?iso-8859-1?Q?=C4r_USA_ett_UFO=3F?=

Message body:

Hej igen!

H=E4r =E4r sk=E4rmsl=E4ckare nummer 4. Kolla in den och tala sedan om =
f=F6r mig att George W Bush INTE =E4r en rymdvarelse. ;-)

Variant 9:
Title: Korkad president.

Message body:

Hej igen!

H=E4r =E4r sk=E4rmsl=E4ckaren som jag snackade om. George W Bush verkar =
inte vara allf=F6r bright om man ska tro brittiska komiker. '
:-)

Variant 10:
Title: Katt, hund, kanin.

Message body:

Hej igen!

Om du gillar djur s=E5 m=E5ste denna sk=E4rmsl=E4ckare vara n=E5't f=F6r =
dig. Mjau, Voff, Arf Arf.... ;-)

English message variants:
Variant 1:
Title: Screensaver advice.

Message body:

Do you think this screensaver could be considered illegal? Would =
appreciate if you or any one of your friends could check it out and =
answer as soon as
humanly possible. Thanx !

Variant 2:
Title: Spy pics.

Message body:

Here's the screensaver i told you about. It contains pictures taken by =
one of the US spy satellites during one of it's missions over iraq. If =
you want more of these pic's you know where you can find me. Bye!

Variant 3:
Title: GO USA !!!!

Message body:

This screensaver animates the star spangled banner. Please support the =
US administration in their fight against terror. Thanx a lot!

Variant 4:
Title: G.W Bush animation.

Message body:

Here's the animation that the FBI wants to stop. Seems like the feds are =
trying to put an end to peoples right to say what they think of the US =
administration. Have fun!

Variant 5:
Title: Is USA a UFO?

Message body:

Have a look at this screensaver, and then tell me that George.W Bush is =
not an alien. ;-)

Variant 6:
Title: Is USA always number one?

Message body:

Some misguided people actually believe that an american life has a =
greater value than those of other nationalities. Just have a look at =
this pathetic screensaver and then you'll know what i'm talking about. =
All the best.

Variant 7:
Title: LINUX.

Message body:

Are you a windows user who is curious about the linux environment? This =
screensaver gives you a preview of the KDE and GNOME desktops. What's =
more, LINUX is a free system, meaning anyone can download it.

Variant 8:
Title: Nazi propaganda?

Message body:

This screensaver has been banned in Germany. It contains a number of =
animated symbols that can be related to the nazi culture. What do you =
think, is it a legitimate ban or not? Please answer asap. Thanx!

Variant 9:
Title: Catlover.

Message body:

If you like cats you'll love this screensaver. It's four animated =
kittens running around on the screen. Contact me for more clipart. Have =
fun! ;-)

Variant 10:
Title: Disgusting propaganda.

Message body:

Hello! My 12 year old doughter received this screensaver on a CDROM that =
was sent to her through advertising. I find it disturbing that children =
are now being targets of nazi organizations. I would appreciate to hear =
from you on this matter, as soon as possible. Thank you.

The attachment file's name follows a system where the name is:
xx.scr (where 'XX' is two random letters ranging from 'a' to 'z')
The worm activates only if a user clicks on the infected attached file. The worm then installs itself to the system and runs its spreading routine and payload.
Installing
While installing the worm copies itself to the Windows directory under the name SCANDISK.exe and registers this file in the system registry auto-run key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
ScanDisk=SCANDISK.exe

The worm also copies itself under a random name (8 characters long with letters ranging from 'a' to 'z'+ ".exe") to the Windows directory.
Spreading
To send out infected messages the worm uses the SMTP server. It scans the WAB database and looks for files by mask: "*.eml", "*.*htm*", " *.dbx" and scans for e-mail addresses inside these files.
The worm inserts its component into the following executable file types: Win32 PE EXE
The worm searches the local disk for all .EXE files and .SCR files and looks for special commands. If such commands are found it inserts its component into the last section of PE files. The worm also inserts the JMP command inside PE files. The inserted component executes the main worm body from the windows directory. The component code contains the following strings:

KERNEL32.DLL
CreateProcessA GlobalAlloc GetWindowsDirectoryA SetCurrentDirectoryA
CreateProcessA
hvjxlzna.EXE

The Ganda worm defends itself against anti-virus programs. The worm terminates active processes in code found to contain the following text strings:

virus
firewall
f-secure
symantec
mcafee
pc-cillin
trend micro
kaspersky
sophos
norton

Ganda scans inside files from the system registry tree:
HKLMSystemCurrentControlSetServicesVxD

and deletes entries for files with anti-virus strings. The worm also scans inside files that pointed to by the registry keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices

The Ganda worm inserts the RET command into the Entry Point of files found to have anti-virus strings.
Payloads
The worm sends out an email message each time it infects a machine, the message contains the following characteristics:
From:

skrattahaha@hotmail.com

To:

red@fna.se
debatt@svt.se
susanne.sjostedt@tidningen.to
skolverket@skolverket.se
mary.martensson@aftonbladet.se
katarina.sternudd@aftonbladet.se
cecilia.gustavsson@aftonbladet.se
jessica.ritzen@aftonbladet.se
margareta.cronquist@tidningen.to
annika.sohlander@aftonbladet.se
kerstin.danielson@aftonbladet.se
insandare@tidningen.to
insandare@aftonbladet.se

The message title or subject is:
DISKRIMINERAD !!!!
The message body contains text written in the Swedish language.

I-Worm.Gibe.a

Description I-Worm.Gibe.a

Gibe is the multi-component Internet worm-virus spreading via the Internet as an email attachment. The worm itself is a Windows PE EXE file 123Kb in size and written in Visual Basic.
Screen-shot of Gibe's email text:

Infected messages have false "From" and "To"fields:
From: "Microsoft Corporation Security Center"
To: "Microsoft Customer" <'customer@yourdomain.com'>
Subject: Internet Security Update
Reply-To:
Attach: q216309.exe
The message body, the first part of which is shown in the screen-shot above, is made to look like an official Microsoft letter (DayMonthYear represents the date - for example, "9 Mar 2002"):
Microsoft Customer,
this is the latest version of security update, the
"DayMonthYear Cumulative Patch" update which eliminates all
known security vulnerabilities affecting Internet Explorer and
MS Outlook/Express as well as six new vulnerabilities, and is
discussed in Microsoft Security Bulletin MS02-005. Install now to
protect your computer from these vulnerabilities, the most serious of which
could allow an attacker to run code on your computer.
Description of several well-know vulnerabilities:
- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability.
If a malicious user sends an affected HTML e-mail or hosts an affected
e-mail on a Web site, and a user opens the e-mail or visits the Web site,
Internet Explorer automatically runs the executable on the user's computer.

- A vulnerability that could allow an unauthorized user to learn the location
of cached content on your computer. This could enable the unauthorized
user to launch compiled HTML Help (.chm) files that contain shortcuts to
executables, thereby enabling the unauthorized user to run the executables
on your computer.
- A new variant of the "Frame Domain Verification" vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site's
domain and the other on your local file system, and to pass information from
your computer to the Web site.
- CLSID extension vulnerability. Attachments which end with a CLSID file extension do not show the actual full extension of the file when saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are simple, harmless files - such as JPG or WAV files - that do not need to be blocked.
System requirements:
Versions of Windows no earlier than Windows 95.
This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
http://www.microsoft.com/windows/ie/downloads/critical/default.asp
If you have some questions about this article contact us at rdquest12@microsoft.com
Thank you for using Microsoft products.
With friendly greetings,
MS Internet Security Center.
----------------------------------------
----------------------------------------
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation.
The Gibe worm activates only if a user clicks on the attached file. Doing so will cause Give to install itself into the system and run its spreading routine and payload.
Installing - Messages
When a user runs the infected file the worm first checks if the system is already infected by checking for its ID key in the registry.
HKLMSoftwareAVTechSettings
Installed = all by Begbie

The presence of this key in the system means that the system is already infected.
Under an "infected" environment the worm displays the following message and exits:


On systems not yet infected, the worm displays the false message:


Not depending on a user's reply the worm starts its installation process. In case of a "No" response the installation is hidden, in case of a "Yes" response the worm displays the following false installation messages:




If the "Cancel" button is pressed during installation the worm displays more false messages leading the user to think the process has been halted, however Gibe continues infecting the system anyway:




Installing - Components
While installing its files into the system Gibe copies itself into the Windows directory under the names:
q216309.exe vtnmsccd.dll
and into the Windows system directory under the ".dll" name:
vtnmsccd.dll
Three more executable components are dropped into the Windows directory and run:
BcTool.exe WinNetw.exe GfxAcc.exe
Two of these files (BcTool.exe and GfxAcc.exe) are registered in the registry auto-run keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
LoadDBackUp = %WindowsDir%BcTool.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
3Dfx Acc = %WindowsDir%GfxAcc.exe
These components are responsible for searching out victim email addresses and for sending infected emails to these addresses.
Spreading
Gibe uses MS Outlook to send out infected messages.
To get victim email addresses the MS Outlook address book is opened and read. The worm also looks for email addresses in system files using the following extensions: *.htm, *.html, *.asp and *.php
Gibe is also programmed to use two Internet search engines to obtain victim email addresses. It runs the search engines with random search strings, and then scans their logs. The two engines it uses are:

http://email.people.yahoo.com
http://www.switchboard.com

Home