W32/Gunsan-A is a worm that spreads via email, on local drives and in local shares. It also has backdoor capabilities and allows unauthorized access to the user's computer via IRC.
When run W32/Gunsan-A drops itself into the Windows system folder as explorer16.exe and sets the following registry entry so that this file is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Explorer =
<system folder>\explorer16.exe
Under Windows 95/98/Me the worm runs as a service process.
If W32/Gunsan-A detects the ZoneAlarm personal firewall on the user's computer it creates C:\noalarm.bat. This file deletes ZoneAlarm related files when the computer is restarted (via a line added to autoexec.bat to execute C:\noalarm.bat on startup).
W32/Gunsan-A blocks access to the following websites by modifying the <Windows folder>\Hosts file:
www.mcafee.com
www.mcaffee.com
www.norton.com
www.theregister.co.uk
www.zdnet.com
www.sophos.com
www.zonelabs.com
www.zonealarm.com
The worm opens a random TCP port (<5000) and listens on this port for web connections (the random port number is recorded in C:\skyliner.dat). After detecting an internet connection by connecting to www.microsoft.com, the worm retrieves the name of the SMTP server from the default mail account (or from the first account if the default account does not exist).
W32/Gunsan-A opens up a backdoor by connecting to one of the following IRC servers: irc.dal.net, typhoon.va.us.dal.net or liberty.nj.us.dal.net.
The worm then scans all local drives and network shares and does the following:
1. collects email addresses from DBX, MBX, IDX, HTM and HTML files;
2. adds IFRAME blocks to HTM/HTML files. These IFRAME blocks point to the random port opened on the local machine;
3. searches for files with a KIX extension. If any are found then the worm creates a copy of itself with a random name based on the computer name in the given folder and adds the line run "<random name>.exe" to the KIX file;
4. searches for files with the extension MP3, ISO, AVI or MPG. If any are found then the worm creates a copy of itself in the given folder using the same filename with the double extension .mp3.exe, .iso.exe, avi.exe, or .mpg.exe respectively;
5. searches for winrar.exe. If this file is found then the worm adds itself to RAR and ZIP archives;
6. deletes all files whose file path contains any of the following strings: mcafee, softice, numega, antivirus, anti-virus, win32dasm, sophos, catsclaw, claw95, lockdown, symantec, firewall, virusscan, virus-scan, fprot,
f-prot, zone labs, atguard.
W32/Gunsan-A sends itself as an attachment to email addresses collected during the scanning process. The worm sends 2 emails to every email address. The first email contains an IFRAME block referencing the server the worm opened up on the random port. This email has no attachment.
The second email contains the worm as an attachment and has the following characteristics:
Subject line: <a single space character>
Attached file: tast.exe
This second email makes use of 2 exploits to run the attachment automatically on unpatched versions of Microsoft Outlook and Outlook Express.