Virus ganda
This is a mass-mailing worm that sends email to the contacts in the Windows Address Book.
The worm also attempts to terminate the services of several antivirus and security products.
The worm copies itself to:
%WinDir%\scandisk.exe
%WinDir%\tmpworm.exe
NOTE: %WinDir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
The worm adds the registry value:
"ScanDisk" "%WinDir%\SCANDISK.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
The worm also parasitically infects .exe and .scr files. The files do not replicate themselves - the infection serves only to relaunch the worm.
© Copyright 2000-2008 AnVir Software. All Rights Reserved.
