W32/Ganda-A

Please follow the instructions for removing worms.

Please follow the instructions for removing worms.

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ScanDisk = <Windows>\scandisk.exe

and delete it if it exists.

Close the registry editor.

W32/Ganda-A is a worm which spreads by sending itself to email addresses collected from EML, HTM*, DBX and WAB files on your computer.

W32/Ganda-A creates two copies of itself in your Windows folder. One copy is named scandisk.exe; the other is an EXE file with a name consisting of eight randomly-chosen lower-case letters.

W32/Ganda-A sets the following registry entry so that it loads automatically every time your computer is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ScanDisk = <Windows>\scandisk.exe

Whilst sending emails, the worm makes an additional copy of itself in your Windows folder under the name tmpworm.exe.

W32/Ganda-A scans through RAM, looking for applications which have any of the following text strings in memory: virus, firewall, f-secure, symantec, mcafee, pc-cillin, trend micro, kaspersky, sophos, norton. Processes containing any of the offending strings are terminated. Clearly, this is intended to kill off a range of popular security products. But it can cause collateral damage: for example, if you have a Word document open containing any of the above strings, the worm will shut down Word without giving you a chance to save any changes.

W32/Ganda-A infects EXE and SCR files on your hard disk by inserting a small loader program which tries to launch a copy of the worm from your Windows folder when you close the infected application. Files which are modified in this way rely on the original randomly-named worm file being present. If you delete the worm files from your Windows folder then you will immediately make any modified EXE files uninfectious.

W32/Ganda-A can send emails with several subject line and message text combinations, both in English and Swedish. It should be noted that the worm can "spoof" email addresses when it sends itself, so when you receive an infected email it is very difficult to ascertain who really sent it to you.

The English emails can have the following characteristics:

Subject line: Screensaver advice.
Message text: Do you think this screensaver could be considered illegal? Would appreciate if you or any one of your friends could check it out and answer as soon as humanly possible.

Subject line: Spy pics.
Message text:Here's the screensaver i told you about. It contains pictures taken by one of the US spy satellites during one of it's missions over iraq. If you want more of these pic's you know where you can find me. Bye!

Subject line: GO USA !!!!
Message text: This screensaver animates the star spangled banner. Please support the US administration in their fight against terror. Thanx a lot!

Subject line: G.W Bush animation.
Message text: Here's the animation that the FBI wants to stop. Seems like the feds are trying to put an end to peoples right to say what they think of the US administration. Have fun!

Subject line: Is USA a UFO?
Message text: Have a look at this screensaver, and then tell me that George.W Bush is not an alien. ;-)

Subject line: Is USA always number one?
Message text: Some misguided people actually believe that an american life has a greater value than those of other nationalities. Just have a look at this pathetic screensaver and then you'll know what i'm talking about. All the best.

Subject line: LINUX.
Message text: Are you a windows user who is curious about the linux environment? This screensaver gives you a preview of the KDE and GNOME desktops. What's more, LINUX is a free system, meaning anyone can download it.

Subject line: Nazi propaganda?
Message text: This screensaver has been banned in Germany. It contains a number of animated symbols that can be related to the nazi culture. What do you think, is it a legitimate ban or not? Please answer asap. Thanx!

Subject line: Catlover.
Message text: If you like cats you'll love this screensaver. It's four animated kittens running around on the screen. Contact me for more clipart. Have fun! ;-)

Subject line: Disgusting propaganda.
Message text: Hello! My 12 year old doughter received this screensaver on a CDROM that was sent to her through advertising. I find it disturbing that children are now being targets of nazi organizations. I would appreciate to hear from you on this matter, as soon as possible. Thank you.

In all of these cases the attached file has a random 2-character name and an SCR extension (e.g. oc.scr).

The worm also creates entries in the following registry keys:

HKLM\Software\SS\Sent
HKLM\Software\SS\Sent2

W32/Ganda-A sends a rambling diatribe complaining about the Swedish education system to a small set of email addresses apparently belonging to Swedish journalists. These emails do not contain the worm as an attachment.

W32/Ganda-A contains the text:
[WORM.SWEDENSUX] Coded by Uncle Roger in Hõrnsand, Sweden, 03.03. I am being discriminated by the swedish schoolsystem. This is a response to eight long years of discrimination.