Mcaffee lists the virus as:

"This mass-mailing worm sends itself to email 
addresses harvested from the Windows Address Book 
and files on the victim machine. The worm kills 
certain processes running on the victim machine.

The worm also parasitically infects PE files on 
the Windows machine. Infected files will increase 
in size by 567 bytes. The files do not replicate 
themselves - the infection serves only to 
relaunch the worm. Files infected in this manner 
are detected as W32/Ganda by the specified 
engine/DATs

Mass-Mailing

The worm contains its own SMTP engine and sends 
itself via the default SMTP server specified in 
the Internet Account Manager, or a hard-coded 
Swedish SMTP server. The From: address in sent 
email is spoofed (using a harvested email 
address). Interestingly, both English and Swedish 
languages are used in constructing the email 
messages.

Outgoing messages may contain an old Internet 
Explorer vulnerability(IFRAME) in order to run 
itself when the recipient previews the email (on 
unpatched systems). See Microsoft Security 
Bulletin (MS01-020) for more information and a 
patch concerning this exploits.

The worm harvests target email addresses from the 
Windows Address Book and files on the victim 
machine. One of these email addresses is also 
used to spoof the From: address."

There's more, just search "ganda" on their site.