|Type||Mass mailer worm|
|Place of Origin||South Africa|
|Source Language||Visual Basic|
Maldal, also known as Zacker, Reeezack or Keyluc is an email worm from 2001. Its third variant contained a prominent Christmas/New Year greeting.
Maldal arrives in an email with a subject line of “XXXX is a millionaire”. The message body will look like:
Hi Your Friend invites you to be a millionaire and says : Wow..its really cool Test your lock ;) just keep this advertisements pro run and you will get 0.25 $ every 30 minutes for more info visit our site : http://finance.com Good Luck Wo-finance Team
The attachment is named LucKey.exe. When the attachment is executed, it copies itself as LucKey.exe to the Windows folder and as DALAH.exe to the system folder. It may also copy itself to Drive A: with the name Malal.exe. Maldal mails itself to everyone in the Outlook address book.
Maldal creates up to 10,000 copies of itself on the hard disk with names ZA-Union[number].exe, Sharoon[number].exe, Bush[number].exe and BinLadin[number].exe. The number will be any number between 0 and 9999. The worm sets the Explorer home page to a site hosted by Oregon State University. It searches for all files with .mdb, .zip, .doc, .XLS, .txt, .jpg, .ram, .rm, .mpeg, .mpg, .mid, .mp3, .jpeg, .lnk, and .pst and overwrites their code with the text:
Sharoon = a war crimenal Bush supports him So... Bush = a war crimenal American people must protect their country otherwise, their government will lead them to the hell ! Best Regards America Lovers ZA-UNION
Maldal.C appeared in December 19. Its subject line is "Happy New Year" and the attachment is christmas.exe. The message body is:
Hii , I can't describe my feelings But all I can say is Happy new year :-) bye
|Maldal.C, wishing you a merry Christmas|
When Maldal.C is executed, it displays a window with a picture of Santa Claus with a reindeer and a new year message. It copies itself to the Windows folder as Christmas.exe. This file is registered with the local machine run key so it will run when the system starts.
It then deletes all files it finds in the following directories:
- Program Files\Zone Labs
- Program Files\AntiViral Toolkit Pro
- Program Files\Command Software\F-PROT95
- PC-Cillin 95
- PC-Cillin 97
- Program Files\Quick Heal
- Program Files\FWIN32
- Program Files\FindVirus
- Program Files\McAfeeVirusScan95
- Program Files\Norton AntiVirus
Maldal.C also drops a file named DaLaL.htm, which contains code to download another part of the worm, into the system folder. It attaches this file to the end of all files on all fixed and network drives with a .htm, .html or .asp extension.
It deletes all files with extensions .lnk, .zip, .jpg, .jpeg, .mpg, .mpeg, .doc, .xls, .mdb, .txt, .ppt, .pps, .ram, .rm, .mp3 and .swf. After deleting the files, it creates copies of itself with names of all the files it has deleted with .vbs added to the name. The worm replaces the mirc.ini configuration file with one that sends a message to other uses of the same channel that contains a link to the infected webpage.
The worm locks the keyboard and procedes to delete everything from the system folder. If the worm has been running for more than 30 minutes and was executed when the number= of seconds was 5, it will delete all files on the system, display a message and shut down the system.
Maldal.K arrives as a message claiming to be from the White House asking for the user's opinion on peace in the Middle East. The subject is "FWD:Please read the message". The attachment is named PeaceMessanger.Exe. There are two possibilities for the message body. One is:
Whitehouse.gov invites you to give and share your opinion about the war in the Middle East . Your voices may change the destny of two countries. Palestine , Israel and peace . These things are what you should write about. Your message will be sent to Whitehouse.gov and it will be shown in the main page. Downloade the Peace Messanger and send us your info: http://mypage.ayna.com/whitehouse /MiddleastWar/Usersvoices PeaceMessanger.exe Know that your message will not be ignored. Thank you .
The other looks like this:
I've recieved a message from the Whitehouse.gov asking me to give my opinion about the war in the Middle East using the Peace Messanger I attached . Send your opinion and ask them to kill Sharon .
|Filled and sending|
When executed, it displays a dialog containing fields where it asks for several pieces of data, including name, country and email. It also allows the user to write their own message.
When the user fills it out and sends it, it generates a message that is sent to the address firstname.lastname@example.org and contains the information the user entered. When sent, it looks something like this:
To: Bush <email@example.com> Subject: Middle East War Message Subject: Middle East War Message Text: Im <the first and last name entered> from <country entered>. My message is <the message entered> Attachment: PeaceMessanger.Exe
The worm did not spread very far or much. There were some reports of the C variant in Europe and the United Kingdom. It appears to have originated in South Africa, though it's unknown if it did any significant damage there. Message Labs reported 925 incidents on the first day of the .C variant spreading.
Gergely Erdelyi, Katrin Tocheva, Sami Rautiainen. F-Secure Antivirus, F-Secure Virus Descriptions : Maldal.
VSantivirus, W32/Maldal.K. 2002.04.24
Dennis Fisher. PC Magazine, Christmas Virus Spreading on Net. 2001.12.19
Wendy McAuliffe. ZDNet, 'Happy New Year' worm hits Windows. 2001.12.19