The e-mails include a attachment which is a SCR (screen saver)
file around 45kb in size (62kB mime-encoded). The filename is
always short, such as RG.SCR or PW.SCR.
Some of the messages sent by the worm have a fake sender address,
replacing the "From" field with addresses belonging to Swedish
journalists or school officials. These people have nothing to do
with the worm and they are not spreading it either - the worm
just tries to make it look like that.
These fake addresses include firstname.lastname@example.org,
email@example.com, firstname.lastname@example.org and several personal addresses from
tidningen.to and aftonbladet.se (Swedish magazines). The worm
will send massive amounts of rant e-mails to these addresses
The messages sent by the worm are in Swedish or in English,
depending on the language settings of the infected computer.
In addition to the email spreading, Ganda also parasitically
appends a small piece of code to PE executable files. The purpose
of this code is to patch the locations of API calls so the worm
code will be executed.
The worm's file is a PE executable about 45 kilobytes long. It is
not packed, however, some areas in the worm's body are encrypted
with a simple crypto algorithm.
When the worm's file is activated it first decrypts its internal
areas and then gets API addresses for several functions from
KERNEL32.DLL, ADVAPI32.DLL, SHELL32.DLL, WININET.DLL, WSOCK32.DLL
libraries. Then the worm creates a mutex named 'SWEDENSUX'. This
mutex is used to identify the presence of another worm's copy in
a system. The worm allocates a few blocks of memory for its
internal use. After that the worm registers itself as a service
process and remains resident in Windows memory.
The worm copies itself as SCANDISK.EXE into Windows directory and
also it copies itself there with a randomly-generated name (for
example AYDJSSKJ.EXE). Then the worm creates a startup key for
the SCANDISK.EXE file:
"ScanDisk" = "%WinDir%\SCANDISK.EXE"
Then the worm attempts to kill processes of anti-virus and
security software that have the following strings:
After that the worm waits for Internet connection. When Internet
connection is available, the worm starts to look for e-mail
addresses on an infected system. It looks for addresses inside
files located in cache folders and elsewhere on a hard disk. The
worm collects e-mail addresses from Windows Address Book (it uses
the WAB32.DLL library to access the Address Book) and from the
The worm has its own SMTP engine. It connects to the SMTP server
that is mentioned in the Registry or to 'm1.611.telia.com' SMTP
server. The worm sends itself to all found e-mail addresses.
Sometimes the worm fakes the sender's e-mail address. The fake
address can be selected from the list of found addresses or from
one of the following variants:
Additionally the worm sends a 12 kilobyte message in Swedish to
the above listed e-mail addresses using the
'email@example.com' as the sender's address. If the worm
gets widespread, it will SPAM those addresses with thousands of
messages overloading the mail servers.
The infected message's subject and body are randomly selected by
the worm from its internal list. The messages sent by Ganda worm
look like that:
These are examples of English subjects and bodies that the worm
uses to compose messages:
Do you think this screensaver could be considered illegal? Would
appreciate if you or any one of your friends could check it out and
answer as soon as humanly possible. Thanx !
Here's the screensaver i told you about. It contains pictures taken by
one of the US spy satellites during one of it's missions over iraq. If
you want more of these pic's you know where you can find me. Bye!
GO USA !!!!
This screensaver animates the star spangled banner. Please support the
US administration in their fight against terror. Thanx a lot!
G.W Bush animation.
Here's the animation that the FBI wants to stop. Seems like the feds are
trying to put an end to peoples right to say what they think of the US
administration. Have fun!
Is USA a UFO?
Have a look at this screensaver, and then tell me that George.W Bush is
not an alien. ;-)
Is USA always number one?
Some misguided people actually believe that an american life has a
greater value than those of other nationalities. Just have a look at
this pathetic screensaver and then you'll know what i'm talking about.
All the best.
Are you a windows user who is curious about the linux environment? This
screensaver gives you a preview of the KDE and GNOME desktops. What's
more, LINUX is a free system, meaning anyone can download it.
This screensaver has been banned in Germany. It contains a number of
animated symbols that can be related to the nazi culture. What do you
think, is it a legitimate ban or not? Please answer asap. Thanx!
If you like cats you'll love this screensaver. It's four animated
kittens running around on the screen. Contact me for more clipart. Have
Hello! My 12 year old doughter received this screensaver on a CDROM that
was sent to her through advertising. I find it disturbing that children
are now being targets of nazi organizations. I would appreciate to hear
from you on this matter, as soon as possible. Thank you.
The worm uses the following Swedish subjects:
Rashets eller inte?
Överviktiga förnedra ...
Go ack ack ack....
Är USA ett UFO?
Katt, hund, kanin.
Some of the messages sent by the worm use the IFRAME exploit to
automatically execute the infected attachment on recipients'
systems. However only older and unpatched versions of certain
e-mail clients are affected.
The worm is attached to the infected message as 'xx.SCR' file
where 'xx' are 2 random characters for example the attachment
name can be 'SI.SCR'. To encode the attachment the worm creates a
temporary file named 'tmpworm.exe' and encodes it into the
The worm includes the following text:
[WORM.SWEDENSUX] Coded by Uncle Roger in Härnösand, Sweden,
I am being discriminated by the swedish schoolsystem.
This is a response to eight long years of discrimination.
I support animal-liberators worldwide.
Parasitic Appending to Executable Files
The worm affects .EXE (only PE EXE files) and .SCR files on an
infected computer's hard disk. The worm appends a small code to
.EXE and .SCR files that starts the worm's file (the one with a
random name) every time an affected file is run. The worm also
reads the contents of .LNK (link) files and tries to patch .EXE
and .SCR files that those link files point to.
When affecting EXE and SCR files, the worm looks for certain API
calls to KERNEL32.DLL library and replaces them with a jump to
its appended code. One of the following API call instructions
So when an affected file is started and execution reaches the
patched address, the control is passed to the parasitically
appended small piece of code, that in its turn starts the
randomly-named worm's file in Windows folder.
F-Secure Anti-Virus detects Ganda worm with the following
[M. Hypponen, K. Tocheva, G. Erdelyi, A. Podrezov, F-Secure Corp., 17th of March 2003]