is an Internet worm which uses the social ingeneering to force the users to run the infected mail attachment.It also tries to suspend several antiviral and security programs, such as personal firewalls, on infected computer. It modifies executable files (.exe and .scr extensions) by adding a routine for Ganda's launch from a separate file. It spreads through e-mail. A part of infected mails uses "IFRAME vulnerability" of MS Internet Explorer for launching its mail attachment without user intervention.
The worm creates the following files on infected computer:
In the registry, the worm creates inside the key
The worm is launched from the registry at every computer start. Except this, it might be launched from the modified executables, it adds a code for launchig itself from the files in the %WINDOWS% folder to the executable files. The size of modified files is increased of 567 bytes.
Note: %WINDOWS% is a folder where the Windows system is installed. It's usually "C:\Windows" on Windows 95, 98 or ME, or "C:\WinNT" on Windows NT, 2000 or XP. Those folder names are default, but user can decide for any other name at Windows system instalation.
The worm tries suspend running services named:
The worm spread through email to addresses it founds in the Windows Address Book or in the files with .dbx, .eml or .htm extensions. Infected mails are either english or swedish, depending on the system language of infected computer. Infected mail have the following features:
Subject line is either empty, or it's one of the following phrases (in the english version):
The attachment has size of 45056 bytes with random 2-letter name and scr extension.
The worm fakes sender address. It chooses message body randomly from 10 messages, either english and swedish.
Any avast! with VPS file dated on or after 17th March 2003 is able to detect this worm.Refer: Avast