You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Ganensar.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Ganensar.A carries out plenty of modifications in the Windows Registry of the affected computer, which have the following consequences:

  • It disables the following items:
    - Windows Registry Editor.
    - Task Manager, which would prevent the user from viewing the processes that are being run.
    - Folder options from the Windows Explorer, which prevents the user from accessing the configuration menu of the folders.
    - the context menu, that is, the one that appears when right clicking the mouse.
  • It disables the following options from the Start menu:
    - Search, which allows files to be searched in a fast and straight way.
    - Turn off and Log off. As a result, the user cannot turn off or log off the computer through the Start menu.
    - Control panel.
  • It disables Windows File Protection (WFP) and the checking of these files when Windows is started:
    - Windows File Protection prevents critical Windows system files from being replaced. Programs must not overwrite these files because they are used by the operating system and other programs.
    - The System File Checker tool checks if the protected files have been modified. If so, it recovers the original protected files.
    As it disables both features, the Windows protected files can be modified, which could cause problems with the operating system and the installed programs.
  • It uses several techniques in order to make its detection more difficult:
    - It hides the files and folders with hidden attributes.
    - It hides the extension of the files.
    - It hides the operating system files.

On the other hand, it carries out these actions:

  • Whenever the Enter button is pressed, the following message is displayed:

  • It modifies the characteristics of the system properties:



    and if the user clicks the section Support information, the following information will be displayed:

  • It prevents the programs whose caption contains any of the text strings mentioned below from being run:
    Anti
    Avg
    Cracker
    Editor
    Free
    Hacker
    Hex
    Hijack
    Japan
    Porn
    Process
    Processes
    Registry
    Run
    Scanner
    sex
    Sniff
    Tool
    Tuneup
    Utility
    Vir
    Virus
    Windows
  • It prevents the following programs from being run:
    - Command shell (CMD).
    - Task manager.
    - Windows Registry Editor.
    - System configuration utility.
    - DirectX tool, which contains libraries related to multimedia, specially game programming and video, on Microsoft platforms.
    - System configuration editor, which is used to configure the files that are loaded when Windows is started.
    When any of them is run, the Notepad will be opened.

Infection strategy 

Ganensar.A creates the following files, which are copies of the worm:

  • MIYABI-NEW EPISODE(NO SENSOR).EXE, in the Windows directory.
  • JAPANPORN.EXE and MIYABI-NEW EPISODE(NO SENSOR).EXE, in the My Documents directory of the user that has logged in.
  • MSVBVM60.EXE, in the Windows directory.
  • RASCAL32.EXE, in the Windows system directory.
  • USERINIT.EXE, in the subfolder Templates of the Documents and Settings directory.

Additionally, it creates the files mentioned below in the Windows system directory, which are used to change the system properties:

  • OEMINFO.INI.
  • OEMLOGO.BMP.

It also creates the file USERINIT.DAT, in the directory where Ganensar.A has been run, as an infection mark.

 

Ganensar.A modifies the following files:

  • CMD.EXE and COMMAND.EXE, which belong to the command shell (CMD).
  • TASKMGR.EXE, which belongs to the Task manager.
  • REGEDIT.EXE, which refers to the Windows Registry Editor.
  • MSCONFIG.EXE, which belongs to the system configuration utility.
  • DXDIAG.EXE, which refers to the DirectX tool.
  • SYSEDIT.EXE, which belongs to the system configuration editor.

and replaces them with a copy of the Notepad, keeping the same name as the original file. It replaces them in the following directories:

  • Windows system directory.
  • subfolder dllcache of the Windows system directory.

This way, whenever any of these files is run, the Notepad will be run instead.

 

Ganensar.A creates the following entries in the Windows Registry:

  • KEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Windows = %windir%\msvbvm60.exe /register
    where % windir% is the Windows directory.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    NET-SERVICES = %sysdir%\rascal32.exe /register
    where %sysdir% is the Windows system directory.
    By creating these entries, Ganensar.A ensures that it is run whenever Windows is started.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
    DisableRegistryTools = 01, 00, 00, 00
    It disables the Windows Registry Editor.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
    DisableTaskMgr = 01, 00, 00, 00
    It disables the Task Manager.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
    SFCScan = 00, 00, 00, 00
    It disables the System File Checker tool.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ SystemFileProtection
    ShowPopups = 00, 00, 00, 00
    It disables Windows warnings when any modification is carried out in the Windows file protection.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
    NoClose = 1
    It hides the option Turn off from the Start menu and does not allow the shutdown command to be run through the command shell. (CMD.EXE).
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
    NoLogOff = 1
    It does not display the option Log off in the Start menu.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
    NoFind = 1
    It does not display the option Search in the Start menu.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
    NoFolderOptions = 1
    It does not display the option Folder options of the Windows Explorer.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
    NoViewContextMenu = 1
    It does not display the context menu, that is, the one that appears when right clicking the mouse.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
    NoControlPanel = 1
    It does not display the control panel in the Start menu.

 

Ganensar.A modifies the following entries from the Windows Registry:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows
    Load
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows
    Load = %sysdir%\rascal32.exe
    where %sysdir% is the Windows system directory.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
    Shell = Explorer.exe
    It changes this entry to:
    HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
    Shell = explorer.exe %sysdir%\rascal32.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
    System
    It changes this entry to:
    HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
    System = %windir%\msvbvm60.exe
    where %windir% is the Windows directory.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
    Userinit = %sysdir%\userinit.exe,
    It changes this entry to:
    HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
    Userinit = userinit.exe,C:\Documents and Settings\    %user%\Templates\userinit.exe,
    where %user% is the username of the user that has logged in.
    By modifying these entries, Ganensar.A ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
    SFCDisable = 00, 00, 00, 00
    It changes this entry to:
    HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
    SFCDisable = -99
    It disables the Windows file protection.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
    RegisteredOrganization
    It changes this entry to:
    HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
    RegisteredOrganization = Junior Bali VM
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
    RegisteredOwner
    It changes this entry to:
    HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
    RegisteredOwner = Ñ؆HîñG•••BO¥
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
    ProductId
    It changes this entry to:
    KEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
    ProductId = [28/08/2007]
    By modifying these three entries, it changes the system properties referring to organization and user name to which the operating system is registered, as well as its product id.

Additionally, it modifies these entries from the Windows Registry, in order to make its detection more difficult:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    Hidden = 01, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    Hidden = 00, 00, 00, 00
    It hides the files and folders with hidden attributes.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    HideFileExt = 00, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    HideFileExt = 01, 00, 00, 00
    It hides the extension of the files.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    ShowSuperHidden = 01, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    ShowSuperHidden = 00, 00, 00, 00
    It hides the files of the operating system.

Means of transmission 

Ganensar.A reaches the computer in a file with the name MIYABI-NEW EPISODE(NO SENSOR).EXE and the icon of Windows Media Player:

It spreads by making copies of itself, with the name MIYABI-NEW EPISODE(NO SENSOR).EXE in all the system drives available, both mapped and removable drives.

Further Details  

Ganensar.A is written in the programming language Visual Basic v5. This worm is 71,168 bytes in size and it is compressed with UPX v1.21.

Additionally, the files created to modify the system properties have the following characteristics:

  • OEMINFO.INI contains the following code:
    [General]
    Manufacturer=Infected by: RASCAL
    Model=Please repair your fucking system
    [Support Information]
    Line1=Hey..hey..
    Line2=
    Line3=Mohon maaf sebelumnya,
    Line4=Komputer ente sekarang sudah terinfeksi RASCAL
    Line5=Buruan kasih tau tentang hal ini kepada adminnya choi..
    Line6=Anyway kok gak ada pesan moralnya ya??? (Dah basi kalee..)
    Line7=Huehuehehehe...
    Line8=
    Line9=By: Ñ؆HîñG•••BÔ¥ # Junior Bali VM (Masih kecil om ^_^)
  • OEMLOGO.BMP belongs to the image below:

On the other hand, the file called USERINIT.DAT, created as an infection mark, contains the following text: