Encyclopedia entry: Win32/Ganelp - Learn more about malware - Microsoft Malware Protection Center

Microsoft


	Win32/Ganelp (?) Encyclopedia entry Updated: Jan 09, 2013 \| Published: Jan 02, 2013 Aliases Not available Alert Level (?) Severe Antimalware protection details Microsoft recommends that you download the latest definitions to get protected. On this page Summary\|Symptoms\|Technical Information\|Prevention\|Recovery Summary Win32/Ganelp is a family of worms that spread via removable drives, upload stolen information and download arbitrary files onto your computer. They may masquerade as a legitimate Java update - however, they are in no way affiliated with Java and merely use the well-known name of Java to maliciously spread their copies. Top Symptoms System changes The following system changes may indicate the presence of this malware: The presence of the following files: acc0ea15 acc0e9de dwntdux.hlp info_a help.hlp jusched.ex %windir%\tasks\update23.job The presence of the following registry modifications: In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "SunJavaUpdateSched21" With data: "%ProgramFiles%\acc0e9de\jusched.exe" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "SunJavaUpdateSched21" With data: "<malware folder and file name>, for example "%ProgramFiles%\acc0ea15\jusched.exe" Top Technical Information (Analysis) Installation When run, Win32/Ganelp creates a copy of itself with the file name "jusched.exe", in one of the following folders: %ProgramFiles%\acc0ea15 %ProgramFiles%\java\jre-01\bin Note: %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista, 7, and 8 is "C:\Program Files". Win32/Ganelp modifies the following registry entry to ensure that its copy runs at each Windows start: In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "SunJavaUpdateSched21" With data: "<malware folder and file name>, for example "%ProgramFiles%\acc0ea15\jusched.exe" The worm also creates the following scheduled task to launch its copy every time a user logs on to Windows: %windir%\tasks\update23.job Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, 7, and 8 it is "C:\Windows". Spreads via... Removable drives Win32/Ganelp spreads by copying itself to any removable drives found in your computer. If it detects a removable drive, and the drive contains a folder, the worm copies itself into the drive using the same name as that of the folder. For example, if the folder "folder1" exists in the drive, the worm copies itself as "folder1 .exe" (note the extra space that precedes the extension). Payload Downloads arbitrary files Win32/Ganelp may connect to an FTP server to download a file. Some of the servers it is known to connect to are: dictio_802884.di.funpic.org elegan_786444.el.funpic.org ftp.7host.com ftp.byethost12.com ftp.byethost6.com ftp.encrypt.instantfreesite.com ftp.myfreesite.foreverhost.us ftp.search.instantfreesite.com ftp.tripod.com ftp.ueuo.com hohoho.ho.funpic.org We have observed it downloading the following files to the folder it created during installation: help.hlp dwntdux.hlp Steals information Win32/Ganelp may obtain the country or region setting of your computer. It stores this information in a file in the folder it created during installation. We have observed it using the following file names for this file: acc0ea15 acc0e9de info_a The worm may upload this file to the same FTP server that it downloads files from. Modifies firewall settings Win32/Ganelp adds itself to the list of applications that are authorized to bypass Windows Firewall by making the following registry modification: In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Sets value: "%ProgramFiles%\acc0ea15\jusched.exe" With data: "%ProgramFiles%\acc0ea15\jusched.exe::enabled:javaupdate23" Additional information Win32/Ganelp uses a standard Windows-style folder icon, in an attempt to mislead you into opening the worm, believing it to be a folder. Analysis by Jireh Sanico* Top Prevention Take the following steps to help prevent infection on your computer: Enable a firewall on your computer Get the latest computer updates for all your installed software Use up-to-date antivirus software Limit user privileges on the computer Use caution when opening attachments and accepting file transfers Use caution when clicking on links to webpages Avoid downloading pirated software Protect yourself against social engineering attacks Use strong passwords Enable a firewall on your computer Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall. How to turn on the Windows Firewall in Windows 8 How to turn on the Windows Firewall in Windows 7 How to turn on the Windows Firewall in Windows Vista How to turn on the Windows Firewall in Windows XP Get the latest computer updates Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites. Instructions on how to download the latest versions of some common software is available from the following: Microsoft Malware Protection Center - Updating Software You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet. How to turn on Automatic updates in Windows 8 How to turn on Automatic Updates in Windows 7 How to turn on Automatic Updates in Windows Vista How to turn on Automatic Updates in Windows XP Use up-to-date antivirus software Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software, such as Microsoft Security Essentials, that is updated with the latest signature files. For more information, see 'Consumer security software providers'. Limit user privileges on the computer Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run. You can configure UAC in your computer to meet your preferences: User Account Control in Windows 8 User Account Control in Windows 7 User Account Control in Windows Vista Applying the Principle of Least Privilege in Windows XP More on User Account Control Use caution when opening attachments and accepting file transfers Exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources. Use caution when clicking on links to webpages Exercise caution with links to webpages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a webpage with harmful content. Avoid downloading pirated software Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see 'The risks of obtaining and using pirated software'. Protect yourself from social engineering attacks While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted computer. Use strong passwords Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols. For more information, see 'Create strong passwords'. Top Recovery To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat: Microsoft Security Essentials or, for Windows 8, Windows Defender Microsoft Safety Scanner Microsoft Windows Malicious Software Removal Tool Removing a program exception This threat may add a malware program to the Windows Firewall exception list. To remove the program exception, follow these steps: For Windows 8 : Open Windows Firewall by swiping in from the right edge of the screen, tapping Search (or if you're using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search), entering firewall in the search box, tapping or clicking Settings, and then tapping or clicking Windows Firewall. In the left pane, tap or click Allow an app or feature through Windows Firewall. Tap or click Change settings. You might be asked for an admin password or to confirm your choice. Select the check box next to the app you want to allow, select the network types you want to allow communication on, and then click OK. For Windows 7: Click Start, select Control Panel, then System and Security. Select Windows Firewall. On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. Click Change Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. Select <program name> from the list of allowed programs and features. Click Remove. Click OK. For Windows Vista: Click Start, select Control Panel, then Security Center. On the left-hand menu, select Windows Firewall. On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. Select <program name> from the list of allowed programs and features. Click Delete. Click OK. For Windows XP: Use an administrator account to log on. Click Start, select Run, type wscui.cpl, and then click OK. In Windows Security Center, click Windows Firewall. On the Exceptions tab, click <program name> and then click Delete. Click OK. Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.