FRISK Software International


Summary of W32/Maldal.C@mm
Alias:Keyluc.C, Zacker.C, Christmas.exe and Reeezak.A
Discovered: 19 Dec 2001
Definition files: 19 Dec 2001
Risk Level: Medium
Distribution:Medium
Infection Method:Infected e-mail attachments, mIRC.
Payload: Disables security software, deletes all files.
 
Jump to:
Brief description
Technical description

Brief Description

Maldal.C was found in the wild on the 19th of December. It is an e-mail worm with a potentially damaging payload. Maldal.C spreads via e-mail attachments disguised as a Christmas greeting card. It sends itself to addresses found in Outlooks database and Microsoft's instant messaging software, MSN Messenger. The attachment's name is always 'CHRISTMAS.EXE'. W32/Maldal.C@mm is written in Visual Basic.



Technical Description

An e-mail containing Maldal.C can be recognized by the following characteristics:

The subject of the e-mail is: 'Happy New Year'

The e-mails body text is:

	Hii, I can't describe my feelings But all I can say
	is Happy new year :-) bye

And then as said before the attachment is named: CHRISTMAS.EXE

Maldal disguises itself as a Christmas greeting card to hide its true function. When the attachment is run it displays a greeting card featuring Santa Claus and a reindeer (either Rudolf or Dasher but our virus experts are still debating on the subject).

Then the worm copies itself onto the windows directory as 'Christmas.exe'. This copy of Maldal.C is added to the registy run keys as:

   
'[HKLM]\Software\Microsoft\Window\CurrentVersion\Run\Zacker'  
Thus it will be started every time Windows is starts up.

After being executed the worm disables the keyboard and attempts to delete everything from the Windows System directory.

It sets the computer name to 'ZaCker' and modifies Internet Explorer's starting page as to directing to an infected homepage displaying this text:.

                Sharoon = a war crimenal
                    Bush supports him
                            So...
                  Bush = a war crimenal
     American people must protect their country
                      otherwise, their
        government will lead them to the hell !


                       Best Regards
                     America Lovers
                        ZA-UNION

When this page is viewed using Internet Explorer, the JavaScript code in the page will execute, using a vulnerability VM ActiveX control vulnerability. The JavaScript code will create a named file 'rol.vbs' in the root of the Windows installation drive and execute it.

Now Maldal.C will try to everything in the following directories on the Windows installation drive:

    Program Files\Zone Labs
    Program Files\AntiViral Toolkit Pro
    Program Files\Command Software\F-PROT95
    eSafe\Protect
    PC-Cillin 95
    PC-Cillin 97
    Program Files\Quick Heal
    Program Files\FWIN32
    Program Files\FindVirus
    Toolkit\FindVirus
    f-macro
    Program Files\McAfeeVirusScan95
    Program Files\Norton AntiVirus
    TBAVW95
    VS95
    rescue

The worm will also drop a called file DaLaL.htm into Windows System directory, which contains a link to the second part of the worm. This file is copied, along with the copy of the worm as 'server.vbs' to root of each mapped network drive.

Next the worm searches through every fixed and network drive, and appends the content of 'DaLaL.htm' to each file with ".htm", ".html", or ".asp" extensions.

The worm will also delete files with the following extensions:

 .lnk
 .zip 
 .jpg 
 .jpeg
 .mpg
 .mpeg
 .doc
 .xls 
 .mdb
 .txt
 .ppt
 .pps
 .ram
 .rm
 .mp3
 .swf .

After deleting a file, it will create a copy of itself with the same name and extension as the original but add a .vbs extension into the name.

W32/Maldal.C@mm also searches for mIRC application's configuration file and replaces it. After that an infected user will show a message when another user joins the same IRC channel. This message also contains a link to the infected web page.

Finally, if the script is executed after 30 minutes of the initial infection, and the number of seconds equals five, it attempts to delete all files from the system, shows a message box and shuts down Windows.

The second part of the worm behaves in the same way as the first part, except it drops another file to the Windows system directory - - and executes it. This file then sends a message with a link to itself to all recipients listed in the Outlook Contacts folder.

The message has the following content:

    Subject Very important !!!
    Body:   See this page
            http://geocities.com/Xxxxxxx/xxx.htm

W32/Maldal@mm is detected and disinfected by F-Prot Antivirus™, version 3.11a, using virus definition files from 19th of December or later



[December 20th, 2001. This analysis was based on information from our partner company F-Secure Corp.: Katrin Tocheva, Gergely Erdelyi, and Sami Rautiainen ]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is