-
March 18th, 2003 10:03 AM
#1
*Heads Up* Ganda & Oror
Hi Guys,
A couple more to checkout..
Oror/Roro
Info Found Here:
Further info at the following
W32.HLLW.Oror.AI@mm is a variant of the W32.HLLW.Oror@mm mass-mailing worm. This worm attempts to spread using email, mIRC, KaZaA, network shares, and mapped drives. The email attachment arrives with a .exe or .scr file extension. W32.HLLW.Oror.AI@mm also attempts to terminate and remove various security products from the infected computer.
This threat is written in the C++ language. Some of the files are compressed with UPX.
Also Known As < http://securityresponse.symantec.com/avcenter/refa.html>: W32.HLLW.Oror.AD@mm, W32/Roro.AD@mm [F-Prot], I-Worm.Roron.gen [KAV]
Variants < http://securityresponse.symantec.com/avcenter/refa.html>: W32.HLLW.Oror@mm, W32.HLLW.Oror.B@mm, W32.HLLW.Oror.C@mm
Type: Worm < http://securityresponse.symantec.com/avcenter/refa.html>
Infection Length < http://securityresponse.symantec.com/avcenter/refa.html>: 131,072, 54,784 [UPX]
Systems Affected < http://securityresponse.symantec.com/avcenter/refa.html>: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected < http://securityresponse.symantec.com/avcenter/refa.html>: Macintosh, OS/2, UNIX, Linux
Ganda
Info Found Here
Further Info at the following
McAfee
Command
F-Secure
Sophos
W32.Ganda.A@mm is a mass-mailing worm that sends mail to the contacts obtained from the Windows Address Book. The worm contains its own SMTP engine and will attempt to use the infected user's default SMTP server, or an open mailserver in Sweden, for email propagation.
W32.Ganda.A@mm will send two email messages with the following characteristics, in Swedish or English, depending on the infected systems' language:
Subject:
Swedish:
Olaglig_skärmsläckare?
Rashets eller inte?
Hakkors.
Suspekta semaforer.
Avskyvärd_reklam.
Överviktiga_förnedras.
Go ack ack ack....
Är_USA_ett_UFO?
Korkad president.
Katt, hund, kanin.
English:
Screensaver advice.
Spy pics.
GO USA !!!!
G.W Bush animation.
Is USA a UFO?
Is USA always number one?
LINUX.
Nazi propaganda?
Catlover.
Disgusting propaganda.
Attachment Filename: [a-z][a-z].scr
The worm also attempts to terminate the services containing the following strings:
virus
firewall
f-secure
symantec
mcafee
pc-cillin
trend micro
kaspersky
sophos
norton
Also Known As < http://securityresponse.symantec.com/avcenter/refa.html>: W32/Ganda@MM [McAfee], Ganda [F-Secure], Win32/Ganda.A@mm [RAV], W32/Ganda.A@mm [Norman], Win32.Ganda.A [CA], W32/Ganda-A [Sophos]
Type: Worm < http://securityresponse.symantec.com/avcenter/refa.html>
Infection Length < http://securityresponse.symantec.com/avcenter/refa.html>: 45,056 bytes
Systems Affected < http://securityresponse.symantec.com/avcenter/refa.html>: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected < http://securityresponse.symantec.com/avcenter/refa.html>: Windows 3.x, Macintosh, OS/2, UNIX, Linux
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
Forum Rules
|
|
Reply With Quote
Bookmarks