Summary

UPDATE (2003-06-20 10:00 GMT)

A new variant of Magold (Magold.E) was found on June 20th 2003. For more information on Magold.E see at the bottom of the description.

UPDATE (2003-05-29 13:30 GMT)

A new Hungarian virus known as Magold was found in the wild on 29th of May, 2003.

Additional Details

As a rather large virus (240KB UPX compressed), Magold.A contains lots of functionality. It attempts to spread over e-mail, P2P networks and IRC chat. It might also print Hungarian text on printers. The virus attempts to print a page with this text:

SEGÍTS NEKEM!!!
Én a nyomtató vagyok, és arra szeretnélek megkérni, hogy beszélj már a Windows-zal, mert ez már nem állapot!! Állandóan a hülye kérdéseivel, kéréseivel zaklat, 'Van még lapod?', 'Tudsz színesen nyomtatni?', 'Ezt most fektetve szeretném!', 'Készen állsz már?'. Gondolom te is egyetértesz velem, hogy ez így nem mehet tovább! Valamit tenni kell!
ÜDVÖZLETTEL MEGÉRTÕ ÉS SEGÍTÕKÉSZ BARÁTOD: A NYOMTATÓ
PUNK'S NOT DEAD =:-) =:-) =:-) =:-) ...
English translation:

HELP ME!
I'm the printer and would like to ask you to talk to Windows because this is getting out of hand. It is continuously bugging me with silly questions like: 'Do you still have paper?', "Can you print in color?", "I'd like to have this one in landscape mode.", "Are you ready?".
I think you agree with me that this can not go on like this any longer.
Regards,
Your sympatethic, helpful friend: The Printer


The virus may spoof the sender address when it sends itself via e-mail.

An example of an e-mail sent by the worm:

From: erotika@lap.hu Subject: Maya Gold-os kepernyokimelo! Attachment: Maya Gold.scr
Tisztelt cím! Az EROTIKA.LAP.HU nézettségének növelése érdekében egy kis ízelítõt kíván adni kínálatából az Internet felhasználóknak! FIGYELEM: A 'Maya Gold.scr' nevû csatolt állomány egy képernyõvédõ. Mint a neve is mutatja Maya Gold pornószínésznõrõl tartalmaz különbözõ képeket. Az állományt ajánlott elõbb a lemezre menteni, majd utána futtatni.
Amennyiben valami problémája, kérdése van, írjon a következõ címre: erotika@lap.hu
Üdvözlettel: EROTIKA.LAP.HU
English translation:
Dear Recipient,
In order it increase the popularity of EROTIKA.LAP.HU we would like provide you with a sample of our offers. WARNING: The attached file 'Maya Gold.scr' is a screen saver. As the name suggests it contains pictures of the porn actress Maya Gold.
In case you have a problem or question you can write to the following address: erotika@lap.hu
Regards,
EROTIKA.LAP.HU


The virus contains several references to x-rated web sites and to Hungarian porn actress, Ms. Maya Gold.

Symptoms created by the virus might include removal of anti-virus programs, creating lots of shortcuts to desktop and preventing mouse to be moved to certain portions of the screen.

F-Secure Anti-Virus detects Magold.A worm with the updates published on May 29th, 2003:

Version=2003-05-29_01

VARIANT:

Magold.A

VARIANT:	Magold.E
ALIAS:	I-Worm.Magold.e

It copies itself to windows folder as:

dreAd.exe Maya Gold.scr dreAd\Maya Gold.scr
and under the System32 folder as

wdread.exe
It creates a key in the windows registry as:

[HKLM\SOFTWARE\dreAd]
to which it adds the following sub-keys:

datum beepul halozat irc
for its own internal use.

It adds the following entry to:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] raVe = %windir%\dreAd.exe
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] raVe = %windir%\dreAd.exe
It modifies the following keys

HKLM\SOFTWARE\Classes\exefile\shell\open\command HKLM\SOFTWARE\Classes\comfile\shell\open\command HKLM\SOFTWARE\Classes\batfile\shell\open\command HKLM\SOFTWARE\Classes\piffile\shell\open\command HKLM\SOFTWARE\Classes\scrfile\shell\open\command
setting their values to

'%windir%\dreAd.exe "%1" %*'
so it is started every time that any of those file types is run.

It spreads through shares copying itself as

Maya Gold.scr
in the root folder.



This variant attempts to terminate processes containing any of the following strings in their filenames:

VIR ANTI AFEE NORT PROT AV MSCVB32.EXE ISERVC.EXE WINK MSCCN32.EXE WINGATE.EXE WINEXE.EXE WINRPC.EXE SCAM32.EXE SIRC32.EXE
Some of the files names belong to other malware like Sobig.C , Lovgate, Sircam, Fizzer, Klez .



Magold.E spreads in e-mail messages with the following characteristics:

From: "VALO VILAG" <valovilag@rtlklub.hu>


Subject: Sziszi, a voros demon! or Subject: Sziszi a zuhanyzoban!
Body:
Tisztelt C¡m!
Az RTL KLUB j¢volt b¢l ™n most r‚szt vehet egy Internetes nyerem‚nyj t‚kban, ahol ak r 10.000.000 Ft-ot is nyerhet. Ehhez nem kell m st tenni, mint a lev‚lhez csatolt flash-vide¢t lefuttatni (ami Sziszi-t a Val¢ Vil g 2 szt rj t mutatja be zuhanyz s k”zben), majd a film v‚g‚n megjeleno azonos¡t¢t visszakldeni a valovilag@rtlklub.hu c¡mre ‚s ™n m ris j t‚kba kerlt. A sorsol s nyerteseit E-Mail-ben ‚rtes¡tjk 2003.06.30.- n.
šdv”zlettel: RTL KLUB - NA NA -
Attachment: sziszi_video.exe
English translation:

Subject: Sziszi, the red haired vamp! or Subject: Sziszi under the shower!
Body: Dear Recipient!
Thanks to RTL Klub TV, you may participate in an Internet prize game, where you can win up to 10 million HUF. All you have to do is to run and watch the attached flash video (which shows Sziszi, the celebrity of "Valo Vilag 2" reality TV show, taking a shower). At the end, an ID code will be displayed, just send it back in e-mail to <valovilag@rtlklub.hu> and you become a participant right away. Winners of the draw will be contacted in e-mail on June 30, 2003
With kind regards: RTL KLUB - NANA TV
A registry fix is available at our ftp server which will fix entries added and modified by this worm:

ftp://ftp.f-secure.com/anti-virus/tools/magold_fix.reg

ftp://ftp.f-secure.com/anti-virus/tools/magold_fix.txt



F-Secure Anti-Virus detects Magold.E worm with the updates published on June 20th, 2003:

Version=2003-06-20_01

[Description: F-Secure Anti-Virus Research and Tamas Feher, 2F KFT; May 29-July 20th, 2003]