Virus Profile: W32/Ganda@MM

Threat Search
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 3/17/2003
Date Added: 3/17/2003
Origin: Sweden
Length: 45,056 bytes
(+567 bytes infected PE files)
Type: Virus
Subtype: E-mail
DAT Required: 4253
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • 45,056 byte file named SCANDISK.EXE in %WinDir%.
  • Identical 45,056 byte file randomly named (########.EXE) in %WinDir%.
  • Existence of the following Registry keys:

Methods of Infection

The worm contains its own SMTP engine and constructs messages using both English and Swedish languages. It mails itself to email addresses harvested from files on the victim machine, and those listed in the Windows Address Book. These email addresses are also used to spoof the From: address.

When executed the worm copies itself into %WinDir% as SCANDISK.EXE and ########.EXE (8 random characters). The following Registry key is added to hook system startup:

"ScanDisk" = C:\WINNT\SCANDISK.exe

The filename of the randomly named copy of the worm is subsequently used in the parasitic infection process above - where ExitProc() calls result in execution of this file.


Myzli, PE_GANDA.A (Trend), SwedenSux, W32/Ganda

Virus Characteristics

This mass-mailing worm sends itself to email addresses harvested from the Windows Address Book and files on the victim machine. The worm kills certain processes running on the victim machine.

The worm also parasitically infects PE files on the Windows machine. Infected files will increase in size by 567 bytes. The files do not replicate themselves - the infection serves only to relaunch the worm. Files infected in this manner are detected as W32/Ganda by the specified engine/DATs


The worm contains its own SMTP engine and sends itself via the default SMTP server specified in the Internet Account Manager, or a hard-coded Swedish SMTP server. The From: address in sent email is spoofed (using a harvested email address). Interestingly, both English and Swedish languages are used in constructing the email messages.

Outgoing messages may contain an old Internet Explorer vulnerability(IFRAME) in order to run itself when the recipient previews the email (on unpatched systems). See Microsoft Security Bulletin (MS01-020) for more information and a patch concerning this exploits.

The worm harvests target email addresses from the Windows Address Book and files on the victim machine. One of these email addresses is also used to spoof the From: address.

Outgoing messages are constructed with various subject lines. Various message bodies are also used - chosen according to the subject. For example:


  • Is USA always number one?
  • LINUX.
  • GO USA !!!!
  • Nazi propaganda?
  • Disgusting propaganda.
  • Spy pics
  • Screensaver advice
  • Catlover.
  • G.W Bush animation.
  • Is USA a UFO?

Strings within the worm suggest the following Swedish subject lines may also be used:

  • Olaglig_skärmsläckare?
  • Hakkors.
  • Rashets eller inte?
  • Suspekta semaforer.
  • Avskyvä rd_reklam.
  • Överviktiga_förnedras.
  • Go ack ack ack....
  • Är_USA_ett_UFO?
  • Korkad president.
  • Katt, hund, kanin.


The attachment name was observed to be ##.SCR in testing (where ## are two random characters, eg. QU.SCR).


The worm also sends out an email (in Swedish) to a specific list of email addresses hard-coded in the worm (the recipients are all Swedish media related, for example press & television). This email has the following characteristics:


The message body is written in Swedish, and its contents suggest the author felt they were badly treated in the past. (As supported by strings within the worm as well - below).

Parasitic Infection

The worm also attempts to infect PE files on the victim machine in order to re-execute a dropped copy of the worm. Files increase in size by 567 bytes upon infection. Infected files do not replicate themselves.

It achieves this by replacing ExitProc() calls in the original files with a jump to a short stub which is added to the end of file. Such files are detected (and cleaned) as W32/Ganda by the specified engine/DATs.

The worm contains the following strings:

[WORM.SWEDENSUX] Coded by Uncle Roger in Hõrnsand, Sweden, 03.03.
I am being discriminated by the swedish schoolsystem.
This is a response to eight long years of discrimination
I support animal-liberators worldwide

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!