Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mari

Win32/Mari is a worm written in Visual Basic.  It spreads as an email file attachment.  The subject of the message is "check this out!!!"  and in its attachment is the file SYSTEM32.exe.  When the file in the attachment is executed the worm gets copied into the directory C:\Winnt\SYSTEM32.exe on computers with Windows NT, in case of Windows 95/98/ME it uses the directory C:\Windows\SYSTEM32.exe.  The worm ensures its activation after the operating system restart with help of the key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.  It creates the item System32 C:\Windows\SYSTEM32.exe (Windows 95/98/ME) or C:\WinNT\SYSTEM32.exe there.  An active worm presents itself by adding a green icon in the shape of a hemp leave into the tasks panel.

If the mouse cursor comes upon this icon the text "LEGALISE IT!!!" is displayed.  If you click on the icon the following message is displayed:

The worm manipulates the system registry's key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion and alters the value of the item RegisteredOrganization to "Stoner's Pot Palace." and the value of the item RegisteredOwner to "Im A Pot Head!".  It also changes the key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\ allowing it to change the starting page of Microsoft Internet Explorer to my.marijuana.com.
To spread it makes use of Microsoft Outlook:  The worm sends its copies to all contacts in the address book.
Another manifestation of the worm is displaying the following window with the message:

This window is displayed always at twenty minutes past four pm.  After clicking the button "OK" the window disappears.  About two seconds later it appears again and this will be repeated until the time on the clock in the tasks panel proceeds to 16:21.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.