Ganda Removal Tool

Ganda Removal Tool is a small but effective application that targets the Win32.Ganda.A@mm malware.

Once run, it creates two copies of itself in Windows folder: SCANDISK.EXE and another randomly named file (ex: "xjvhtbxt.EXE").

Creates a mutex "SWEDENSUX" in order to allow only one copy of itself in memory. It attempts to shut down processes with names as "virus","firewall","f-secure","symantec","mcafee","pc-cillin","trend micro","kaspersky","sophos","norton". It infects executable files by searching for *.exe, *.scr and *.lnk files in %windir%\DESKTOP\ and %windir%\START MENU\ If a .lnk file is found, it retrieves the executable path and name contained within the .lnk file, then opens the file (if it founds a .exe or a .scr file, it opens them directly) and adds a stub to the end of the executable file, then hijacks one of the functions ExitProcess, GetProcAddress, GetModuleHandleA, LoadLibraryA to point to the stub. The stub loads and executes the file with random name in Windows folder (ex: "xjvhtbxt.EXE").

It creates registry key [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run\"ScanDisk"="C:\WINDOWS\SCANDISK.exe"]

It looks in [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] and [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] and attempts to modify the files pointed by the keys, and render them unusable.

It harvests e-mails searching for files matching "*.eml","*.htm*","*.dbx" and Windows Address Book. It also contains some hardcoded e-mails.