Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Maldal.C

Aliases: W32/Reeezak.A-mm, Win32/Zacker.C

Win32/Maldal.C is a worm written in Visual Basic.  It spreads as a file attachment of email messages.  The subject of the message is "Happy New Year" and in the message body is the following text:

Hii
I can't describe my feelings
But all i can say is
Happy New Year :)
bye

In the attachment of this message there is the file Christmas.exe containing the worm itself.  After it is run the worm changes the name of the computer to Zacker in the system registry in the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName.  By adding the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Zacker the worm ensures its activation upon the start of the infected system.  By means of manipulating the value of the key HKCU\software\microsoft\internet Explorer\main\start Page it sets http://geocities.com/jobreee/ZaCker.htm as the starting page for Internet Explorer.  It means that after Internet Explorer is run the script in the file Zacker.htm is executed.
Then the worm displays a window containing a drawing of Santa Claus with a reindeer and the text "From the hearth, Happy new year".  In the end the worm turns off the keyboard.  On the newly set start page of  Internet Explorer the script contained in the file ZaCkeR.htm changes the start page to http://www.orst.edu/groups/msa/everwonder.swf.  This page is devoted to Islam.  Then it creates the file Rol.vbs in the directory where the Windows operating system is installed and executes the file.  Finally, in the browser window it displays the following political text with misprints in red colour:

Sharoon = a war crimenal
Bush supports him
So...
Bush = a war crimenal
American people must protect their country otherwise, their
government will lead them to the hell !

The script in the file Rol.vbs then writes into the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ZaCker information on minutes according the current time.  By manipulation with the system registry it sets http://www.orst.edu/groups/msa/everwonder.swf as the starting page for Internet Explorer.  It creates a copy of the file Rol.vbs with the name ZaCker.vbs in a subdirectory of the directory in which the operating system Windows is installed.  In the same directory it creates the file DaLaL.htm and writes into it a code which will open a box on the address http://geocities.com/jobreee/main.htm.
Then the script tries to delete the directory Program Files\Zone Labs and deletes also all files which are located in the following directories:

Program Files\AntiViral Toolkit Pro
Program Files\Command Software\F-PROT95
eSafe\Protect
PC-Cillin 95
PC-Cillin 97
Program Files\Quick Heal
Program Files\FWIN32
Program Files\FindVirus
Toolkit\FindVirus
f-macro
Program Files\McAfee\VirusScan95
Program Files\Norton AntiVirus
TBAVW95
VS95
rescue
Program Files\Zone Labs

Then the script attacks files with extensions htm, html and with asp code which is contained in the file DaLaL.htm.  It deletes files with extensions lnk, zip, jpg, jpeg, mpg, mpeg, doc, xls, mdb, txt, ppt, pps, ram, rm, mp3, mdb, swf and creates a file with the same filename but with a doubled extension.  The second of these extensions is always vbs (e.g. sonya.zip.vbs).  If it finds mirc.ini in the given directory it will supplement each file with the extension .ini with the following text:

on 1:JOIN:#:/msg $chan See This Site http://geocities.com/jobreee/main.htm $nick!

If the current number of minutes exceeds by 30 the number of minutes at the time of creating the key in registery and if the number of seconds is 5 the following window is displayed:

After clicking the displayed window the computer is turned off.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.