1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar



Win95/Toal@mm, I-Worm.Toil, BinLaden, Bin Laden, Osama Bin Laden



Toal is an e-mail virus-worm. It uses ICQ White Pages to look for e-mail addresses so the spreading is limited to ICQ users. It also has functionality to spread trough local network but due to a programming error the worm crashes when it tries to browse the network.

The virus does not work on Windows NT system due to a Windows 9x/ME specific property.

The origin is most likely Brasil (judging from the messages it has inside). By the time of description creation the worm was not in the wild.

Disinfection & Removal

Since the virus infects 'explorer.exe' that is always locked the system must be cleaned from DOS.

The virus shares the C: drive with full access so that share has to be removed.

Technical Details

The messages the worm sends have randomly chosen Subject: line but the attachment name is fixed ('BINLADEN_BRASIL.EXE').

When the attachment is executed it infects 'hh.exe' (HTML Help executable) and 'explorer.exe' in the windows directory. The worm body is dropped to the Windows directory with a random three character long name. This file is added to 'system.ini':

 shell=Explorer.exe XXX.exe


The worm does not have a destructive payload. After starting sometimes it displays a message.

Technical Details: Gergely Erdelyi; F-Secure Corp.; 24 of October, 2001

Submit a sample

Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.