Virus Profile: W32/Maldal.c@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/19/2001
Date Added: 12/19/2001
Origin: Unknown
Length: 37376 bytes
Type: Virus
Subtype: Worm
DAT Required: 4177
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

-Mass Mailing, file attachment "christmas.exe"
-Trigger with dropped VBScript virus VBS/Rols
-Deleted anti-virus and security program files
-Disabled keyboard functionality
-Presence of "outlook.vbs" in the %system% folder
-Deletion of files in the %system% folder
-Annoying anti-Jewish and/or government message-boxes
-presence of a file called "zacker.vbs"
-presence of a file called "rol.vbs"
-presence of a file called "dalal.htm"
-presence of a file called "dallah.htm"
-presence of a file called "server.vbs"

Methods of Infection

Initial infection starts when user runs a malicious e-mail file attachment called christmas.exe

Aliases

W32/Keyluc@MM, W32/Reeezak.A-mm, W32/Zacker@MM
   

Virus Characteristics

W32/Maldal.c@MM was discovered on 19 December 2001, it's the third variant of the W32/Maldal@MM family.

The mass-mailing worm arrives in an e-mail file attachment called "christmas.exe", the filesize is 37376 bytes. It uses the MS-Outlook address book to mass-mail itself. The worm might also be using entries from MS-Messenger.

The worm sends rtf based e-mail messages with the following information:

Subject : Happy New Year
Body: Hii , I can't describe my feelings But all I can say is Happy new year :-) bye

Attachment: Christmas.exe

Sample display of the received e-mail:

Although the icon has a macromedia-flash style icon,the christmas.exe is written in Visual Basic. Running the file may result in multiple processes, multiple titlebars shown, which may be hard to combat as it tries to disable the keyboard functionality.

The worm may change the computer name to "Zacker":
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
ComputerName\Zacker

It might also add a "zacker" entry under:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Zacker

All files in the %system% directory are deleted upon executing of the christmas.exe.

The worm also changes the Internet Explorer startup page to a certain "zacker" htm website. This html page contains Javascript code that drops a VBScript virus and also installs a mIRC script. The HTM page is triggered upon with VBS/Dismissed with current DATs. The dropped VBSscript code may delete anti-virus and security software:

\Program Files\Zone Labs
\Program Files\AntiViral Toolkit Pro\*.*
\Program Files\Command Software\F-PROT95\*.*
\eSafe\Protect\*.*
\PC-Cillin 95\*.*
\PC-Cillin 97\*.*
\Program Files\Quick Heal\*.*
\Program Files\FWIN32\*.*
\Program Files\FindVirus\*.*
\Toolkit\FindVirus\*.*
\f-macro\*.*
\Program Files\McAfee\VirusScan95\*.*
\Program Files\Norton AntiVirus\*.*
\TBAVW95\*.*
\VS95\*.*
\rescue\*.*
\Program Files\Zone Labs\*.*

"Zacker's" MAIN htm page may drop a VBScript file called "outlook.vbs" in the %SYSTEM% directory, so for example c:\windows\system\outlook.vbs. This file attempts to send an e-mail to all the entries in your "contacts" with:
Subject: Very Important !!!
Body : See this page http://.................
So it's encouraging your contacts to click on the (omitted) malicious weblink.

The outlook.vbs code contains a payload routine to delete all files in the %SYSTEM% folder. An messagebox is being displayed with anti-Jewish text followed by a shutdown of the system.
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations