Email-Worm.Win32.Maldal

Detect Date 01/11/2002
Class Email-Worm
Platform Win32
Description

Technical Details

This is a dangerous virus-worm that spreads via the Internet attached to
infected e-mails. It installs another Internet worm: I-Worm.Maldal. The worm
also creates destructive payloads.

The worm itself is a Windows PE EXE file about 36.5K in length, and is written in
Visual Basic 5.

The infected messages contain:

The worm is activated from an infected e-mail only when a user clicks on the attached
file. The worm then installs itself to the system, runs its spreading routine and
payload. It displays the following picture only once:

Installation

While installing, the worm copies itself to the Windows system directory with the
name “Christmas.exe” and registers this file in the system registry auto-run key.

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Zacker = < windir >Christmas.exe

Spreading via E-mail

To send infected messages, the worm uses MS Outlook, and sends messages to
all addresses found in the Outlook address book.

Installation of the other worm

The worm changes a start page for the Internet Explorer to the:http://geocities.com/jobreee/ZaCker.htm*.

This HTM file contains another Internet worm: VBS.Kerza that
will be run after Internet Explorer has been started.

Destructive payload

The worm blocks a keyboard and tries to delete all files in the Windows
System directory.

*WARNING: DO NOT USE THIS LINK!