W32.Ganbate.A


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 28 May 2007
Damage: Low

Characteristics: W32.Ganbate.A is a worm that propagates through removable storage devices. Reports also say that it can disable certain system utilities. All platforms of windows are vulnerable to this virus, may it be Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP. Registry keys and entries are also modified so that it executes whenever Windows starts. Once executed, it displays an alert window box saying, “Title: IOIMALL(G) Message: This is Histoty of JMTi...!!!~.” And the self duplication goes on several windows system or directory folders. The files it creates consists of “HistoryJMTi.exe,”regedit.exe” and “msagent.exe.”

More details about W32.Ganbate.A

A “data86.bat” file is also added to the windows directory folder. Also, it uses autorun.inf file. This commands to automatically create files in order for it to infect the computer. Basically, this worm spreads by copying itself with the hidden and system attributes. This worm also changes the boot sector and this could result to the inability of the computer to run. It is always a good practice to enable your firewall to block all incoming connections from the Internet to services that should not be publicly available. Always protect your computer by denying all incoming connections and allow only the services you trust and really know. Passwords creation is also a key in protecting files and programs from viruses. Auto play facility in your computer should be disabled to further prevent the automatic launching of executable files on network and removable drives.

According to some reports, the W32.Ganbate.A program is injected into the system by exploiting vulnerable points in the user’s security settings and without securing the consent of the user. The most usual weakness exploited by the worm is the absence of an adequate anti-spyware protection thus rendering the computer defenseless against the worm’s attack. This worm may enter the computer via different ways but typically it is injected by attaching itself to a file that may have been downloaded or installed by the user. These downloaded files may come from P2P networks, file sharing networks and even websites that may have been visited by the user.