W32.Ganda.A@mm is a mass-mailing worm that sends mail to the contacts obtained from the Windows Address Book. The worm contains its own SMTP engine and will attempt to use the infected user's default SMTP server, or an open mailserver in Sweden, for email propagation.
W32.Ganda.A@mm will send two email messages with the following characteristics, in Swedish or English, depending on the infected systems' language:
Subject:
Swedish:
Olaglig_skärmsläckare?
Rashets eller inte?
Hakkors.
Suspekta semaforer.
Avskyvärd_reklam.
Överviktiga_förnedras.
Go ack ack ack....
Är_USA_ett_UFO?
Korkad president.
Katt, hund, kanin.
English:
Screensaver advice.
Spy pics.
GO USA !!!!
G.W Bush animation.
Is USA a UFO?
Is USA always number one?
LINUX.
Nazi propaganda?
Catlover.
Disgusting propaganda.
Attachment Filename: [a-z][a-z].scr
The worm also attempts to terminate the services containing the following strings:
virus
firewall
f-secure
symantec
mcafee
pc-cillin
trend micro
kaspersky
sophos
norton
Also Known As <
http://securityresponse.symantec.com/avcenter/refa.html>: W32/Ganda@MM [McAfee], Ganda [F-Secure], Win32/Ganda.A@mm [RAV], W32/Ganda.A@mm [Norman], Win32.Ganda.A [CA], W32/Ganda-A [Sophos]
Type: Worm <
http://securityresponse.symantec.com/avcenter/refa.html>
Infection Length <
http://securityresponse.symantec.com/avcenter/refa.html>: 45,056 bytes
Systems Affected <
http://securityresponse.symantec.com/avcenter/refa.html>: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected <
http://securityresponse.symantec.com/avcenter/refa.html>: Windows 3.x, Macintosh, OS/2, UNIX, Linux