Win32/Gansip [Threat Name] go to Threat
Win32/Gansip.A [Threat Variant Name]
| Category | worm |
| Size | 188416 B |
| Aliases | Virus.Win32.VB.mb (Kaspersky) |
| W32.SillyFDC (Symantec) | |
| Worm:Win32/Gansip.A (Microsoft) |
Short description
Win32/Gansip.A is a worm that spreads via removable media. The file is run-time compressed using UPX .
Installation
When executed, the worm creates the following files:
- c:\Info.Txt
- c:\infodoc.txt
- c:\Info Pisang Bakar.Txt (972 B)
- c:\Pisang Bakar.Exe (188416 B)
- %system%\SVGHOST.EXE (188416 B)
- %windir%\control32.ini (188416 B)
- %windir%\Winsetup.bat
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "systray32" = "%system%\SVGHOST.EXE"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Shell" = "%variable% C:\WINDOWS\system32\SVGHOST.EXE"
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
- "LOAD" = "%windir%\Winsetup.bat"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "build" = "%infectiondate%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "HideFileExt" = 1
- "ShowSuperHidden" = 0
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanvirus.exe]
- "debugger" = "%windir%\notepad.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Antivirus.exe]
- "debugger" = "%windir%\notepad.exe"
- [HKEY_CLASSES_ROOT\exefile]
- "(Default)" = "Winamp Media File"
A string with variable content is used instead of %variable%, %infectiondate% .
Spreading
The worm copies itself into existing folders of removable drives.
The worm creates the following folders:
- %drive%\Lagu baru
The following files may be dropped in the same folder:
- Lucky Dube-West Papua.Exe (188416 B)
- New Oyaba-Sweat Love.Exe (188416 B)
- Slank-Hamadi Beach.Exe (188416 B)
- Iwan Fals New-Manusia Setengah Jadi.Exe (188416 B)
- Once-Dendam Vs Cinta.Exe (188416 B)
- Marley-Bird Of Paradise.Exe (188416 B)
- Iwan Fals-Live Concert in Jayapura.Exe (188416 B)
The worm searches local drives for files with the following file extensions:
- .mp3
When the worm finds a file matching the search criteria, it creates a new copy of itself.
The name of the new file is based on the name of the file found in the search. The extension of the file is ".exe" .
Other information
The worm may create the following files in the C:\ folder:
- Pisang Bakar.Jpg (2359350 B)
The worm terminates any program that creates a window containing any of the following strings in its name:
- Computer Management
- Deep Freeze 2000XP
- Folder Options
- I*n*d*o*prog v_i_rus s*c*a*n*ner
- Process Explorer - Sysinternals: www.sysinternals.com
- Registry Editor
- System Configuration Utility
- TuneUp Registry Editor
- User Accounts
- Windows Task Manager
Win32/Gansip.A is a worm that overwrites the content of certain files with its own data.
The worm searches local drives for files with the following file extensions:
- .ocx
- .doc
- .rtf
When the worm finds a file matching the search criteria, it overwrites its content with the following text: