To start the new year, we have added the Win32/Ganelp and Win32/Lefgroo families of worms to the January release of the Malicious Software Removal Tool.

Win32/Ganelp spreads via removable drives, uploads stolen information and downloads arbitrary files from remote FTP servers.

We have had detection signatures for this family for approximately 2 years and it continues to be prevalent, as seen in Figure 1.

Ganelp monthly report volume January 2011 to December 2012
Figure 1: Ganelp monthly report volume January 2011 to December 2012.

 

What we understand about the Ganelp malware family is its malicious intent. Ganelp variants are usually distributed online as fake Java updates, they use a folder icon to mimic a directory and disguise copies of themselves with existing folder names found in the infected machine.

For more details about this family of worms, please see the MMPC Encyclopedia description for Win32/Ganelp.

 

 

Jireh Sanico
MMPC