Win32/Gansip [Threat Name] go to Threat

Win32/Gansip.A [Threat Variant Name]

Category worm
Size 188416 B
Detection created Mar 30, 2010
Detection database version 4986
Aliases Virus.Win32.VB.mb (Kaspersky)
  W32.SillyFDC (Symantec)
  Worm:Win32/Gansip.A (Microsoft)
Short description

Win32/Gansip.A is a worm that spreads via removable media. The file is run-time compressed using UPX .

Installation

When executed, the worm creates the following files:

  • c:\­Info.Txt
  • c:\­infodoc.txt
  • c:\­Info Pisang Bakar.Txt (972 B)
  • c:\­Pisang Bakar.Exe (188416 B)
  • %system%\­SVGHOST.EXE (188416 B)
  • %windir%\­control32.ini (188416 B)
  • %windir%\­Winsetup.bat

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "systray32" = "%system%\­SVGHOST.EXE"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%variable% C:\­WINDOWS\­system32\­SVGHOST.EXE"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "LOAD" = "%windir%\­Winsetup.bat"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "build" = "%infectiondate%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "HideFileExt" = 1
    • "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­scanvirus.exe]
    • "debugger" = "%windir%\­notepad.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Antivirus.exe]
    • "debugger" = "%windir%\­notepad.exe"
  • [HKEY_CLASSES_ROOT\­exefile]
    • "(Default)" = "Winamp Media File"

A string with variable content is used instead of %variable%, %infectiondate% .

Spreading

The worm copies itself into existing folders of removable drives.


The worm creates the following folders:

  • %drive%\­Lagu baru

The following files may be dropped in the same folder:

  • Lucky Dube-West Papua.Exe (188416 B)
  • New Oyaba-Sweat Love.Exe (188416 B)
  • Slank-Hamadi Beach.Exe (188416 B)
  • Iwan Fals New-Manusia Setengah Jadi.Exe (188416 B)
  • Once-Dendam Vs Cinta.Exe (188416 B)
  • Marley-Bird Of Paradise.Exe (188416 B)
  • Iwan Fals-Live Concert in Jayapura.Exe (188416 B)

The worm searches local drives for files with the following file extensions:

  • .mp3

When the worm finds a file matching the search criteria, it creates a new copy of itself.


The name of the new file is based on the name of the file found in the search. The extension of the file is ".exe" .

Other information

The worm may create the following files in the C:\ folder:

  • Pisang Bakar.Jpg (2359350 B)

The worm terminates any program that creates a window containing any of the following strings in its name:

  • Computer Management
  • Deep Freeze 2000XP
  • Folder Options
  • I*n*d*o*prog v_i_rus s*c*a*n*ner
  • Process Explorer - Sysinternals: www.sysinternals.com
  • Registry Editor
  • System Configuration Utility
  • TuneUp Registry Editor
  • User Accounts
  • Windows Task Manager

Win32/Gansip.A is a worm that overwrites the content of certain files with its own data.


The worm searches local drives for files with the following file extensions:

  • .ocx
  • .doc
  • .rtf

When the worm finds a file matching the search criteria, it overwrites its content with the following text:

Info Pisang Bakar Sory kalu bikin kamu penasaran or marah-marah Virus juga bukan, bukan juga virus Virus ka... jangan ni..????? Me : Bukan..!, You : Virus....!, Me: Bukan...!, You : Virus....! But.. I like that ! he...he... terserah apa katamu! Ok... untuk teman-temanku: yang suka mandi di Kali Panta Kapal... Sio... kapan lagi ah.... curi pisang di orang pu kebun, trus bakar, makan deng kelapa bakar... yang pasti you are my best friend: Dharlin, Pa'Saf, Indra, Joko (Alm) and Alsor (Alm), dll terakhir buat yang merasa.... ce ile... maksudnya yang merasa... Ganaaas skali.... de pu komputer ada pesan ini! untuk kamu sory.... banget! tapi kamu harus tahu, bahwa virus ini mudah dihapus, karna Folder Option, Search, Run, dll sengaja tidak disembunyikan. jadi jika anda berhasil menghapus virus ini, registry anda akan tetap normal cara hilangkan virus buka di : www.pisangbakar.en.ak PISANG BAKAR 1.0 Teminabuan Sept'07

Please enable Javascript to ensure correct displaying of this content and refresh this page.