Home / malware

PDF

Worm:Win32/Ganelp.gen!A

First posted on 02 November 2011.
Source: SecurityHome

Aliases :

There are no other names known for Worm:Win32/Ganelp.gen!A.

Explanation :

Worm:Win32/Ganelp.gen!A is a generic detection for a worm that spreads via removable drives and downloads additional files onto the infected computer.


Top

Worm:Win32/Ganelp.gen!A is a generic detection for a worm that spreads via removable drives and downloads additional files onto the infected computer.



Installation

Upon execution, worms detected as Worm:Win32/Genelp.gen!A make a copy of themselves in the following file location:

• %Program Files%\acc0ea15\jusched.exe

The worm also creates the file %Windows%\Tasks\update23.job in order to create a scheduled task named "Update23", that launches the worm copy every time the user logs onto their computer.

Spreads via..

Removable drives

The worm spreads by copying itself to any removable drives discovered on the infected computer. If a removable drive exists on the computer, and it contains a folder, the worm creates a copy of itself on the drive using the same name as that of the folder. For example, if the folder "folder1" exists in the discovered drive, the worm copies itself to the drive with the file name "folder1 .exe" (note the two spaces that precede the extension).

If there are no folders in the discovered drive, the worm creates a hidden folder named "acc0ea15" in the drive, as well as a copy of itself called "acc0ea15 .exe".

Note that the worm uses the folder icon for its executable file.



Payload

Downloads arbitrary files

The worm may contact an FTP server in order to download a file onto the infected computer. We have observed the worm attempting to contact the FTP server "ftp.byethost12" and download the file "Help.hlp" to the folder "%Program Files%\acc0ea15". At the time of publishing, the aforementioned file was not available.

The worm may also upload a file to the same FTP server; it was observed uploading the file "%Program Files%\acc0ea15\acc0ea15" to the server, which is a temporary file created by the worm and contains the language settings of the infected computer.

Modifies Firewall settings

The worm adds itself to the list of applications that are authorized to access the Internet without being stopped by the Firewall, by making the following registry modifications:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%Progam Files%\acc0ea15\jusched.exe"
With data: "%Program Files%\acc0ea15\jusched.exe:*:enabled:javaupdate23"



Analysis by Amir Fouda

Last update 02 November 2011

 

TOP