Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Magold


Aliases:


Magold
Maya Gold, Auric

Malware

W32

Summary

As a rather large virus (240KB UPX compressed), Magold.A contains lots of functionality. It attempts to spread over e-mail, P2P networks and IRC chat. It might also print Hungarian text on printers.


UPDATE (2003-06-20 10:00 GMT)

A new variant of Magold (Magold.E) was found on June 20th 2003. For more information on Magold.E see at the bottom of the description.


UPDATE (2003-05-29 13:30 GMT)

A new Hungarian virus known as Magold was found in the wild on 29th of May, 2003.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details


Variant:Magold.A

The virus attempts to print a page with this text:

SEGTS NEKEM!!!
 
  ‰n a nyomtato vagyok, es arra szeretnelek megkerni, hogy beszelj m¡r a
  Windows-zal, mert ez m¡r nem ¡llapot!!
  llandoan a h¼lye kerdeseivel, kereseivel zaklat, 'Van meg
  lapod?', 'Tudsz sz­nesen nyomtatni?', 'Ezt most fektetve
  szeretnem!', 'Keszen ¡llsz m¡r?'.
  Gondolom te is egyetertesz velem, hogy ez ­gy nem mehet tov¡bb! Valamit
  tenni kell!
  
 œDV–ZLETTEL MEG‰RT• ‰S SEGT•K‰SZ BARTOD: A NYOMTAT“
 PUNK'S NOT DEAD
  =:-)
  =:-)
  =:-)
  =:-)
  ...
  
   

English translation:

HELP ME!
  I'm the printer and would like to ask you to talk to Windows because this
  is getting out of hand. It is continuously bugging me with silly questions
  like: 'Do you still have paper?', "Can you print in color?", "I'd like to
  have this one in landscape mode.", "Are you ready?".
 
  I think you agree with me that this can not go on like this any longer.
 Regards,
Your sympatethic, helpful friend: The Printer

   

The virus may spoof the sender address when it sends itself via e-mail.

An example of an e-mail sent by the worm:

From: erotika@lap.hu
  Subject: Maya Gold-os kepernyokimelo!
  Attachment: Maya Gold.scr
  Tisztelt c­m!
  Az EROTIKA.LAP.HU nezettsegenek n¶velese erdekeben egy kis ­zel­tµt
  k­v¡n adni k­n¡lat¡bol az Internet felhaszn¡loknak!
  FIGYELEM: A 'Maya Gold.scr' nev» csatolt ¡llom¡ny egy kepernyµvedµ.
  Mint a neve is mutatja Maya Gold pornosz­nesznµrµl tartalmaz k¼l¶nb¶zµ kepeket.
  Az ¡llom¡nyt aj¡nlott elµbb a lemezre menteni, majd ut¡na futtatni.

  Amennyiben valami problem¡ja, kerdese van, ­rjon a k¶vetkezµ c­mre:
  erotika@lap.hu
  œdv¶zlettel: EROTIKA.LAP.HU
  
  

English translation:

  Dear Recipient,
 In order it increase the popularity of EROTIKA.LAP.HU we would like
  provide you with a sample of our offers.
  WARNING: The attached file 'Maya Gold.scr' is a screen saver.
  As the name suggests it contains pictures of the porn actress Maya Gold.
 In case you have a problem or question you can write to the following
  address: erotika@lap.hu
  Regards,

EROTIKA.LAP.HU

The virus contains several references to x-rated web sites and to Hungarian porn actress, Ms. Maya Gold.

Symptoms created by the virus might include removal of anti-virus programs, creating lots of shortcuts to desktop and preventing mouse to be moved to certain portions of the screen.


Variant:Magold.E (I-Worm.Magold.e)

It copies itself to windows folder as:

  • dreAd.exe
  • Maya Gold.scr
  • dreAd\Maya Gold.scr

and under the System32 folder as

  • wdread.exe

It creates a key in the windows registry as:

  • [HKLM\SOFTWARE\dreAd]

to which it adds the following sub-keys:

  • datum
  • beepul
  • halozat
  • irc

for its own internal use.

It adds the following entry to:

  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] raVe = %windir%\dreAd.exe
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] raVe = %windir%\dreAd.exe

It modifies the following keys

  • HKLM\SOFTWARE\Classes\exefile\shell\open\command
  • HKLM\SOFTWARE\Classes\comfile\shell\open\command
  • HKLM\SOFTWARE\Classes\batfile\shell\open\command
  • HKLM\SOFTWARE\Classes\piffile\shell\open\command
  • HKLM\SOFTWARE\Classes\scrfile\shell\open\command

setting their values to

  • '%windir%\dreAd.exe "%1" %*'

so it is started every time that any of those file types is run. It spreads through shares copying itself as

  • Maya Gold.scr

in the root folder.

This variant attempts to terminate processes containing any of the following strings in their filenames:

  • VIR
  • ANTI
  • AFEE
  • NORT
  • PROT
  • AV
  • MSCVB32.EXE
  • ISERVC.EXE
  • WINK
  • MSCCN32.EXE
  • WINGATE.EXE
  • WINEXE.EXE
  • WINRPC.EXE
  • SCAM32.EXE
  • SIRC32.EXE

Some of the files names belong to other malware like Sobig.C , Lovgate, Sircam, Fizzer, Klez .

Magold.E spreads in e-mail messages with the following characteristics:

From: "VALO VILAG" <valovilag@rtlklub.hu>
Subject: Sziszi, a voros demon!
 or
Subject: Sziszi a zuhanyzoban!
 Body: Tisztelt C¡m!
        Az RTL KLUB j¢voltb¢l „¢n most r€šszt vehet egy Internetes
        nyerem€šnyjt€škban, ahol akr 10.000.000 Ft-ot is nyerhet.
        Ehhez nem kell mst tenni, mint a lev€šlhez csatolt flash-vide¢t
        lefuttatni (ami Sziszi-t a Val¢ Vilg 2 sztrjt mutatja be zuhanyzs
        k€zben), majd a film v€šg€šn megjeleno azonos¡t¢t visszakldeni a
        valovilag@rtlklub.hu c¡mre €šs „¢n mris jt€škba kerlt.
        A sorsols nyerteseit E-Mail-ben €šrtes¡tjk 2003.06.30.-n.
		Å¡dv€zlettel: RTL KLUB - NA NA -
		
		Attachment: sziszi_video.exe
		

English translation:

Subject: Sziszi, the red haired vamp!
 or
Subject: Sziszi under the shower!

 Body:
  Dear Recipient!
    Thanks to RTL Klub TV, you may participate in an Internet
	prize game, where you can win up to 10 million HUF. All you
	have to do is to run and watch the attached flash video
	(which shows Sziszi, the celebrity of "Valo Vilag 2" reality
	TV show, taking a shower). At the end, an ID code will be
        displayed, just send it back in e-mail to
        <valovilag@rtlklub.hu> and you become a participant right
        away. Winners of the draw will be contacted in e-mail on
        June 30, 2003
		
		With kind regards: RTL KLUB - NANA TV
		

A registry fix is available at our ftp server which will fix entries added and modified by this worm:

ftp://ftp.f-secure.com/anti-virus/tools/magold_fix.reg

ftp://ftp.f-secure.com/anti-virus/tools/magold_fix.txt



Detection

F-Secure Anti-Virus detects Magold.A worm with the updates published on May 29th, 2003:
Database: 2003-05-29_01

F-Secure Anti-Virus detects Magold.E worm with the updates published on June 20th, 2003:
Database: 2003-06-20_01



Description Created: F-Secure Anti-Virus Research and Tamas Feher, 2F KFT; May 29-July 20th, 2003



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.