Maldal | |
---|---|
Type | Mass mailer worm |
Creator | |
Date Discovered | 2001.12.12 |
Place of Origin | South Africa |
Source Language | Visual Basic |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | |
Reported Costs |
Maldal, also known as Zacker, Reeezack or Keyluc is an email worm from 2001. Its third variant contained a prominent Christmas/New Year greeting.
Behavior
Maldal arrives in an email with a subject line of “XXXX is a millionaire”. The message body will look like:
Hi
Your Friend
invites you to be a millionaire
and says :
Wow..its really cool Test your
lock ;) just keep this
advertisements pro run
and you will get 0.25 $ every
30 minutes for more info visit
our site :
http://finance.com
Good Luck
Wo-finance Team
The attachment is named LucKey.exe. When the attachment is executed, it copies itself as LucKey.exe to the Windows folder and as DALAH.exe to the system folder. It may also copy itself to Drive A: with the name Malal.exe. Maldal mails itself to everyone in the Outlook address book.
Maldal creates up to 10,000 copies of itself on the hard disk with names ZA-Union[number].exe, Sharoon[number].exe, Bush[number].exe and BinLadin[number].exe. The number will be any number between 0 and 9999. The worm sets the Explorer home page to a site hosted by Oregon State University. It searches for all files with .mdb, .zip, .doc, .XLS, .txt, .jpg, .ram, .rm, .mpeg, .mpg, .mid, .mp3, .jpeg, .lnk, and .pst and overwrites their code with the text:
Sharoon = a war crimenal
Bush supports him
So...
Bush = a war crimenal
American people must protect their country otherwise, their
government will lead them to the hell !
Best Regards
America Lovers
ZA-UNION
Variants
Maldal.C
Maldal.C appeared in December 19. Its subject line is "Happy New Year" and the attachment is christmas.exe. The message body is:
Hii , I can't describe my feelings But all I can say
is Happy new year :-) bye
Maldal.C, wishing you a merry Christmas |
---|
When Maldal.C is executed, it displays a window with a picture of Santa Claus with a reindeer and a new year message. It copies itself to the Windows folder as Christmas.exe. This file is registered with the local machine run key so it will run when the system starts.
The worm changes the computer's name to ZaCker. It sets the home page to a Geocities website containing the "Sharoon" text that it overwrites some files with in the original variant. This page is infected with a JavaScript file that creates a file named "rol.vbs" on the root of the drive Windows is installed on.
It then deletes all files it finds in the following directories:
- Program Files\Zone Labs
- Program Files\AntiViral Toolkit Pro
- Program Files\Command Software\F-PROT95
- eSafe\Protect
- PC-Cillin 95
- PC-Cillin 97
- Program Files\Quick Heal
- Program Files\FWIN32
- Program Files\FindVirus
- Toolkit\FindVirus
- f-macro
- Program Files\McAfeeVirusScan95
- Program Files\Norton AntiVirus
- TBAVW95
- VS95
- rescue
Maldal.C also drops a file named DaLaL.htm, which contains code to download another part of the worm, into the system folder. It attaches this file to the end of all files on all fixed and network drives with a .htm, .html or .asp extension.
It deletes all files with extensions .lnk, .zip, .jpg, .jpeg, .mpg, .mpeg, .doc, .xls, .mdb, .txt, .ppt, .pps, .ram, .rm, .mp3 and .swf. After deleting the files, it creates copies of itself with names of all the files it has deleted with .vbs added to the name. The worm replaces the mirc.ini configuration file with one that sends a message to other uses of the same channel that contains a link to the infected webpage.
The worm locks the keyboard and procedes to delete everything from the system folder. If the worm has been running for more than 30 minutes and was executed when the number= of seconds was 5, it will delete all files on the system, display a message and shut down the system.
Maldal.K
Maldal.K arrives as a message claiming to be from the White House asking for the user's opinion on peace in the Middle East. The subject is "FWD:Please read the message". The attachment is named PeaceMessanger.Exe. There are two possibilities for the message body. One is:
Whitehouse.gov invites you to give and share your
opinion about the war in the Middle East .
Your voices may change the destny of two countries.
Palestine , Israel and peace .
These things are what you should write about.
Your message will be sent to Whitehouse.gov and
it will be shown in the main page.
Downloade the Peace Messanger and send us your info:
http://mypage.ayna.com/whitehouse
/MiddleastWar/Usersvoices
PeaceMessanger.exe
Know that your message will not be ignored.
Thank you .
The other looks like this:
I've recieved a message from the Whitehouse.gov
asking me to give my opinion about the war in
the Middle East using the Peace Messanger I
attached . Send your opinion and ask them
to kill Sharon .
Message sent |
---|
Filled and sending |
---|
Dialog box |
---|
When executed, it displays a dialog containing fields where it asks for several pieces of data, including name, country and email. It also allows the user to write their own message.
When the user fills it out and sends it, it generates a message that is sent to the address aaz111@hotmail.com and contains the information the user entered. When sent, it looks something like this:
To: Bush <aaz111@hotmail.com>
Subject: Middle East War Message Subject: Middle
East War Message
Text: Im <the first and last name entered> from
<country entered>. My message is <the message entered>
Attachment: PeaceMessanger.Exe
Effects
The worm did not spread very far or much. There were some reports of the C variant in Europe and the United Kingdom. It appears to have originated in South Africa, though it's unknown if it did any significant damage there. Message Labs reported 925 incidents on the first day of the .C variant spreading.
Sources
Gergely Erdelyi, Katrin Tocheva, Sami Rautiainen. F-Secure Antivirus, F-Secure Virus Descriptions : Maldal.
VSantivirus, W32/Maldal.K. 2002.04.24
Dennis Fisher. PC Magazine, Christmas Virus Spreading on Net. 2001.12.19
Wendy McAuliffe. ZDNet, 'Happy New Year' worm hits Windows. 2001.12.19