F-Secure Virus Descriptions : Magold
UPDATE (2003-06-20 10:00 GMT)
A new variant of Magold (Magold.E) was found on June 20th 2003. For more
information on Magold.E see at the bottom of the description.
UPDATE (2003-05-29 13:30 GMT)
A new Hungarian virus known as Magold was found in the wild on
29th of May, 2003.
As a rather large virus (240KB UPX compressed), Magold.A contains
lots of functionality. It attempts to spread over e-mail, P2P
networks and IRC chat. It might also print Hungarian text on
printers. The virus attempts to print a page with this text:
SEGÍTS NEKEM!!!
Én a nyomtató vagyok, és arra szeretnélek megkérni, hogy beszélj már a
Windows-zal, mert ez már nem állapot!!
Állandóan a hülye kérdéseivel, kéréseivel zaklat, 'Van még
lapod?', 'Tudsz színesen nyomtatni?', 'Ezt most fektetve
szeretném!', 'Készen állsz már?'.
Gondolom te is egyetértesz velem, hogy ez így nem mehet tovább! Valamit
tenni kell!
ÜDVÖZLETTEL MEGÉRTŐ ÉS SEGÍTŐKÉSZ BARÁTOD: A NYOMTATÓ
PUNK'S NOT DEAD
=:-)
=:-)
=:-)
=:-)
...
English translation:
HELP ME!
I'm the printer and would like to ask you to talk to Windows because this
is getting out of hand. It is continuously bugging me with silly questions
like: 'Do you still have paper?', "Can you print in color?", "I'd like to
have this one in landscape mode.", "Are you ready?".
I think you agree with me that this can not go on like this any longer.
Regards,
Your sympatethic, helpful friend: The Printer
The virus may spoof the sender address when it sends itself via e-mail.
An example of an e-mail sent by the worm:
From: erotika@lap.hu
Subject: Maya Gold-os kepernyokimelo!
Attachment: Maya Gold.scr
Tisztelt cím!
Az EROTIKA.LAP.HU nézettségének növelése érdekében egy kis ízelítőt
kíván adni kínálatából az Internet felhasználóknak!
FIGYELEM: A 'Maya Gold.scr' nevű csatolt állomány egy képernyővédő.
Mint a neve is mutatja Maya Gold pornószínésznőről tartalmaz különböző képeket.
Az állományt ajánlott előbb a lemezre menteni, majd utána futtatni.
Amennyiben valami problémája, kérdése van, írjon a következő címre:
erotika@lap.hu
Üdvözlettel: EROTIKA.LAP.HU
English translation:
Dear Recipient,
In order it increase the popularity of EROTIKA.LAP.HU we would like
provide you with a sample of our offers.
WARNING: The attached file 'Maya Gold.scr' is a screen saver.
As the name suggests it contains pictures of the porn actress Maya Gold.
In case you have a problem or question you can write to the following
address: erotika@lap.hu
Regards,
EROTIKA.LAP.HU
The virus contains several references to x-rated web sites and to Hungarian
porn actress, Ms. Maya Gold.
Symptoms created by the virus might include removal of anti-virus programs,
creating lots of shortcuts to desktop and preventing mouse to be moved to
certain portions of the screen.
F-Secure Anti-Virus detects Magold.A worm with the updates
published on May 29th, 2003:
Version=2003-05-29_01
It copies itself to windows folder as:
dreAd.exe
Maya Gold.scr
dreAd\Maya Gold.scr
and under the System32 folder as
wdread.exe
It creates a key in the windows registry as:
[HKLM\SOFTWARE\dreAd]
to which it adds the following sub-keys:
datum
beepul
halozat
irc
for its own internal use.
It adds the following entry to:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
raVe = %windir%\dreAd.exe
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
raVe = %windir%\dreAd.exe
It modifies the following keys
HKLM\SOFTWARE\Classes\exefile\shell\open\command
HKLM\SOFTWARE\Classes\comfile\shell\open\command
HKLM\SOFTWARE\Classes\batfile\shell\open\command
HKLM\SOFTWARE\Classes\piffile\shell\open\command
HKLM\SOFTWARE\Classes\scrfile\shell\open\command
setting their values to
'%windir%\dreAd.exe "%1" %*'
so it is started every time that any of those file types is run.
It spreads through shares copying itself as
Maya Gold.scr
in the root folder.
This variant attempts to terminate processes containing any of the following
strings in their filenames:
VIR
ANTI
AFEE
NORT
PROT
AV
MSCVB32.EXE
ISERVC.EXE
WINK
MSCCN32.EXE
WINGATE.EXE
WINEXE.EXE
WINRPC.EXE
SCAM32.EXE
SIRC32.EXE
Some of the files names belong to other malware like Sobig.C , Lovgate, Sircam,
Fizzer, Klez .
Magold.E spreads in e-mail messages with the following characteristics:
From: "VALO VILAG" <valovilag@rtlklub.hu>
Subject: Sziszi, a voros demon!
or
Subject: Sziszi a zuhanyzoban!
Body:
Tisztelt CĄm!
Az RTL KLUB j˘volt b˘l n most rszt vehet egy Internetes
nyeremnyj tkban, ahol ak r 10.000.000 Ft-ot is nyerhet.
Ehhez nem kell m st tenni, mint a levlhez csatolt flash-vide˘t
lefuttatni (ami Sziszi-t a Val˘ Vil g 2 szt rj t mutatja be zuhanyz s
kzben), majd a film vgn megjeleno azonosĄt˘t visszakldeni a
valovilag@rtlklub.hu cĄmre s n m ris j tkba kerlt.
A sorsol s nyerteseit E-Mail-ben rtesĄtjk 2003.06.30.- n.
dvzlettel: RTL KLUB - NA NA -
Attachment: sziszi_video.exe
English translation:
Subject: Sziszi, the red haired vamp!
or
Subject: Sziszi under the shower!
Body:
Dear Recipient!
Thanks to RTL Klub TV, you may participate in an Internet
prize game, where you can win up to 10 million HUF. All you
have to do is to run and watch the attached flash video
(which shows Sziszi, the celebrity of "Valo Vilag 2" reality
TV show, taking a shower). At the end, an ID code will be
displayed, just send it back in e-mail to
<valovilag@rtlklub.hu> and you become a participant right
away. Winners of the draw will be contacted in e-mail on
June 30, 2003
With kind regards: RTL KLUB - NANA TV
A registry fix is available at our ftp server which will fix entries added and
modified by this worm:
ftp://ftp.f-secure.com/anti-virus/tools/magold_fix.reg
ftp://ftp.f-secure.com/anti-virus/tools/magold_fix.txt
F-Secure Anti-Virus detects Magold.E worm with the updates
published on June 20th, 2003:
Version=2003-06-20_01
[Description: F-Secure Anti-Virus Research and Tamas Feher, 2F KFT; May 29-July 20th, 2003]
|