Maldal
Maldal
Type Mass mailer worm
Creator
Date Discovered 2001.12.12
Place of Origin South Africa
Source Language Visual Basic
Platform MS Windows
File Type(s) .exe
Infection Length
Reported Costs

Maldal, also known as Zacker, Reeezack or Keyluc is an email worm from 2001. Its third variant contained a prominent Christmas/New Year greeting.

Behavior

Maldal arrives in an email with a subject line of “XXXX is a millionaire”. The message body will look like:

  Hi
  Your Friend
  invites you to be a millionaire
  and says :
  Wow..its really cool Test your
  lock ;) just keep this
  advertisements pro run 
  and you will get 0.25 $ every
  30 minutes for more info visit
  our site :
  http://finance.com
  Good Luck
  Wo-finance Team

The attachment is named LucKey.exe. When the attachment is executed, it copies itself as LucKey.exe to the Windows folder and as DALAH.exe to the system folder. It may also copy itself to Drive A: with the name Malal.exe. Maldal mails itself to everyone in the Outlook address book.

Maldal creates up to 10,000 copies of itself on the hard disk with names ZA-Union[number].exe, Sharoon[number].exe, Bush[number].exe and BinLadin[number].exe. The number will be any number between 0 and 9999. The worm sets the Explorer home page to a site hosted by Oregon State University. It searches for all files with .mdb, .zip, .doc, .XLS, .txt, .jpg, .ram, .rm, .mpeg, .mpg, .mid, .mp3, .jpeg, .lnk, and .pst and overwrites their code with the text:

  Sharoon = a war crimenal
  Bush supports him
  So...
  Bush = a war crimenal
  American people must protect their country otherwise, their
  government will lead them to the hell !
  Best Regards
  America Lovers
    ZA-UNION

Variants

Maldal.C

Maldal.C appeared in December 19. Its subject line is "Happy New Year" and the attachment is christmas.exe. The message body is:

Hii , I can't describe my feelings But all I can say
  is Happy new year :-) bye
Maldalc.png
Maldal.C, wishing you a merry Christmas

When Maldal.C is executed, it displays a window with a picture of Santa Claus with a reindeer and a new year message. It copies itself to the Windows folder as Christmas.exe. This file is registered with the local machine run key so it will run when the system starts.

The worm changes the computer's name to ZaCker. It sets the home page to a Geocities website containing the "Sharoon" text that it overwrites some files with in the original variant. This page is infected with a JavaScript file that creates a file named "rol.vbs" on the root of the drive Windows is installed on.

It then deletes all files it finds in the following directories:

  • Program Files\Zone Labs
  • Program Files\AntiViral Toolkit Pro
  • Program Files\Command Software\F-PROT95
  • eSafe\Protect
  • PC-Cillin 95
  • PC-Cillin 97
  • Program Files\Quick Heal
  • Program Files\FWIN32
  • Program Files\FindVirus
  • Toolkit\FindVirus
  • f-macro
  • Program Files\McAfeeVirusScan95
  • Program Files\Norton AntiVirus
  • TBAVW95
  • VS95
  • rescue

Maldal.C also drops a file named DaLaL.htm, which contains code to download another part of the worm, into the system folder. It attaches this file to the end of all files on all fixed and network drives with a .htm, .html or .asp extension.

It deletes all files with extensions .lnk, .zip, .jpg, .jpeg, .mpg, .mpeg, .doc, .xls, .mdb, .txt, .ppt, .pps, .ram, .rm, .mp3 and .swf. After deleting the files, it creates copies of itself with names of all the files it has deleted with .vbs added to the name. The worm replaces the mirc.ini configuration file with one that sends a message to other uses of the same channel that contains a link to the infected webpage.

The worm locks the keyboard and procedes to delete everything from the system folder. If the worm has been running for more than 30 minutes and was executed when the number= of seconds was 5, it will delete all files on the system, display a message and shut down the system.

Maldal.K

Maldal.K arrives as a message claiming to be from the White House asking for the user's opinion on peace in the Middle East. The subject is "FWD:Please read the message". The attachment is named PeaceMessanger.Exe. There are two possibilities for the message body. One is:

 Whitehouse.gov invites you to give and share your
 opinion about the war in the Middle East .
 Your voices may change the destny of two countries.
 Palestine , Israel and peace .
 These things are what you should write about.
 Your message will be sent to Whitehouse.gov and
 it will be shown in the main page.
 Downloade the Peace Messanger and send us your info:
  http://mypage.ayna.com/whitehouse
  /MiddleastWar/Usersvoices

  PeaceMessanger.exe
  Know that your message will not be ignored.
  Thank you .

The other looks like this:

  I've recieved a message from the Whitehouse.gov
  asking me to give my opinion about the war in
  the Middle East using the Peace Messanger I
  attached . Send your opinion and ask them
  to kill Sharon .
Maldalk2.png
Message sent
Maldalk1.png
Filled and sending
Maldalk0.png
Dialog box

When executed, it displays a dialog containing fields where it asks for several pieces of data, including name, country and email. It also allows the user to write their own message.

When the user fills it out and sends it, it generates a message that is sent to the address aaz111@hotmail.com and contains the information the user entered. When sent, it looks something like this:

  To: Bush <aaz111@hotmail.com>
  Subject: Middle East War Message Subject: Middle
  East War Message
  Text: Im <the first and last name entered> from
  <country entered>. My message is <the message entered>
  Attachment: PeaceMessanger.Exe

Effects

The worm did not spread very far or much. There were some reports of the C variant in Europe and the United Kingdom. It appears to have originated in South Africa, though it's unknown if it did any significant damage there. Message Labs reported 925 incidents on the first day of the .C variant spreading.

Sources

Gergely Erdelyi, Katrin Tocheva, Sami Rautiainen. F-Secure Antivirus, F-Secure Virus Descriptions : Maldal.

VSantivirus, W32/Maldal.K. 2002.04.24

Dennis Fisher. PC Magazine, Christmas Virus Spreading on Net. 2001.12.19

Wendy McAuliffe. ZDNet, 'Happy New Year' worm hits Windows. 2001.12.19

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License