This mass-mailing worm sends itself to email addresses harvested from the Windows Address Book and files on the victim machine. The worm kills certain processes running on the victim machine.
The worm also parasitically infects PE files on the Windows machine. Infected files will increase in size by 567 bytes. The files do not replicate themselves - the infection serves only to relaunch the worm. Files infected in this manner are detected as W32/Ganda by the specified engine/DATs
The worm contains its own SMTP engine and sends itself via the default SMTP server specified in the Internet Account Manager, or a hard-coded Swedish SMTP server. The From: address in sent email is spoofed (using a harvested email address). Interestingly, both English and Swedish languages are used in constructing the email messages.
Outgoing messages may contain an old Internet Explorer vulnerability(IFRAME) in order to run itself when the recipient previews the email (on unpatched systems). See Microsoft Security Bulletin (MS01-020) for more information and a patch concerning this exploits.
The worm harvests target email addresses from the Windows Address Book and files on the victim machine. One of these email addresses is also used to spoof the From: address.
Outgoing messages are constructed with various subject lines. Various message bodies are also used - chosen according to the subject. For example:
- Is USA always number one?
- GO USA !!!!
- Nazi propaganda?
- Disgusting propaganda.
- Spy pics
- Screensaver advice
- G.W Bush animation.
- Is USA a UFO?
Strings within the worm suggest the following Swedish subject lines may also be used:
- Rashets eller inte?
- Suspekta semaforer.
- Avskyvä rd_reklam.
- Go ack ack ack....
- Korkad president.
- Katt, hund, kanin.
The attachment name was observed to be ##.SCR in testing (where ## are two random characters, eg. QU.SCR).
The worm also sends out an email (in Swedish) to a specific list of email addresses hard-coded in the worm (the recipients are all Swedish media related, for example press & television). This email has the following characteristics:From:
The message body is written in Swedish, and its contents suggest the author felt they were badly treated in the past. (As supported by strings within the worm as well - below).
The worm also attempts to infect PE files on the victim machine in order to re-execute a dropped copy of the worm. Files increase in size by 567 bytes upon infection. Infected files do not replicate themselves.
It achieves this by replacing ExitProc() calls in the original files with a jump to a short stub which is added to the end of file. Such files are detected (and cleaned) as W32/Ganda by the specified engine/DATs.
The worm contains the following strings:[WORM.SWEDENSUX] Coded by Uncle Roger in Hõrnsand, Sweden, 03.03.
I am being discriminated by the swedish schoolsystem.
This is a response to eight long years of discrimination
I support animal-liberators worldwide