Some antivirus software vendors were issuing alerts Monday for W32/Ganda.A-mm, a mass-mailing worm that sends mail to contacts obtained from the Windows Address Book.

The worm contains its own SMTP engine and will attempt to make use of on open mail server in Sweden for email propagation, according to Symantec.

The email will arrive with a subject line in Swedish or English, depending on the language settings of the infected computer. The attachment will have a .scr file extension. It attempts to drops itself to c:\windows\scandisc.exe, and c:\windows\????????.exe (where ?? are seemingly random characters). It also contains a number of static email addresses that it uses when attempting to send malicious content.

Initial analysis is suggesting that the sender's "from:" address is not spoofed. From copies intercepted by MessageLabs, the email may be composed as follows:

Subject: Spy pics.
Body:
"Here's the screensaver I told you about. It contains pictures taken by one of the US spy satellites during one of its missions over Iraq. If you want more of these pic's you know where you can find me. Bye!"
Attachment: sg.scr (The file attachment is not compressed, and has a size of 45,056 bytes.)

Read observations here about Ganda.A by MessageLabs staff.

According to F-Secure, the attachment in the emails is a screensaver file around 45kb in size (62kB mime-encoded). The filename is always short, such as RG.SCR or PW.SCR. Some of the messages sent by the worm have a fake sender address, replacing the "From" field with addresses belonging to Swedish journalists or school officials. These people have nothing to do with the worm. These fake addresses include: skolverket@skolverket.se, red@fna.se, debatt@svt.se and several personal addresses from tidningen.to and aftonbladet.se (Swedish magazines).

The worm also affects .EXE and .SCR files on an infected computer's hard disk by adding a small code to the end of such files and patching locations of API calls. Read technical details on Ganda.A on this F-Secure page.

W32/Cult-A Gives Intruders Remote Access and Control

W32/Cult-A is a worm and backdoor Trojan that spreads via file sharing on KaZaA networks and by emailing itself to random email addresses. The email will have the following characteristics:

Subject line: Hi, I sent you an eCard from BlueMountain.com
Message text: To view your eCard, open the attachment If you have any comments or questions, please visit http://www.bluemountain.com/customer/index.pd
Attached file: BlueMountainCard.pif

When first run, the worm displays a false error message with the text "The instruction at 0x776456de referenced memory at 0x6235525g3. The memory could not be read Click on OK to terminate the application," copies itself to the Windows System folder as winupdate.exe and creates the following registry entry so that winupdate.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft auto update = winupdate.exe

W32/Cult-A allows a remote intruder to access and control the computer via IRC channels. Once activated, W32/Cult-A tries to connect to a remote IRC server and join a specific channel. W32/Cult-A then runs in the background as a server process, listening for commands to execute.

The worm also creates several registry entries under HKLM\Software\Microsoft\WDXDriver to store encrypted IRC server addresses. Read more technical information on this Sophos page.

Densux Worm Exploits IE Vulnerability

Panda Software's Virus Laboratory has detected the appearance of Densux (W32/Densux), a new e-mail worm. This new malicious code spreads via e-mail, sending itself out to all addresses in Outlook's Address Book. Densux exploits a known vulnerability in Microsoft Internet Explorer called Exploit/Iframe to run automatically simply when the infected message is viewed in the Preview Pane.

When Densux runs, it creates a file called Scandisk.exe in the Windows directory, along with another executable with a name generated at random. The worm also makes an entry in the Windows Registry to ensure it is run on every system start-up. Densux also has traditional virus characteristics, as it infects and copies part of its code to PE files.

More detailed information about Densux is available in Panda Software's Virus Encyclopedia.

'Iraq Crisis' Subject of Mass-Mailing Worm

This worm spreads by mass-mailing copies of itself to all recipients listed in the Microsoft Outlook address book. It also spreads across the network and attempts to propagate via Internet Relay Chat (IRC). Buggy codes, however, prevent it from completing its propagation routine via IRC. It sends itself as an attachment in an email with this format:

Subject: "US Goverment Material - Iraq Crisis"
Message Body:
Attachment: C:\WINDOWS\UN_Interview.txt.vbs

Trend Micro is giving the worm an overall low-risk rating. Technical details are on this Trend Micro page.

Compiled by Esther Shein.