Antivirus software vendor McAfee issued a low-level notice Wednesday for W32/Ganda@mm, a mass-mailing worm that kills certain processes running on the victim machine.

W32/Ganda@mm sends itself to email addresses harvested from the Windows Address Book and files on the victim machine. It also parasitically infects PE files on the Windows machine.

Infected files will increase in size by 567 bytes. The files do not replicate themselves; the only purpose of the infection is to relaunch the worm. Files infected in this manner are detected as W32/Ganda by the specified engine/DATs. W32/Ganda@mm contains its own SMTP engine and relies upon a Swedish SMTP server for mail propagation.

The From: address in sent emails is spoofed (using a harvested email address). Most notably, both English and Swedish languages are used in constructing the email messages. Outgoing messages may contain an old Internet Explorer vulnerability (IFRAME) in order to run itself when the recipient previews the email (on unpatched systems), according to McAfee.

The worm harvests target email addresses from the Windows Address Book and files on the victim machine. One of these email addresses is also used to spoof the From: address. Outgoing messages are constructed with various subject lines. Various message bodies are also used and are chosen according to the subject.

See the different subject lines and message bodies on this McAfee page.

W32.HLLW.Genky Attempts to Download Backdoor.Sdbot

W32.HLLW.Genky is a worm that spreads using the KaZaA and iMesh file-sharing networks. It also attempts to download Backdoor.Sdbot from a specific Web site. W32.HLLW.Genky is written in Microsoft Visual Basic, version 6, and packed with FSG.

For technical details on what happens when W32.HLLW.Genky is executed, visit this Symantec page.

W97M.Timret Infects Open Documents

Symantec has also issued another low-threat rating for W97M.Timret, a macro virus that infects documents when they are opened. It also attempts to send a copy of the infected document through mIRC.

Read more here.

Cydog Worm Displays Fake Error Message

Cydog is an email and P2P worm that has three known variants: I-Worm.Cydog.a, I-Worm.Cydog.b and I-Worm.Cydog.c, according to antivirus software vendor F-Secure.

The worm is written in Visual Basic and is compressed with UPX file compressor. The worm's packed file size is about 35 kilobytes. When run, the worm displays a fake error message. Read the message and the other effects of the worm on this F-Secure page.

Compiled by Esther Shein.