Win95/Toal@mm, I-Worm.Toil, BinLaden, Bin Laden, Osama Bin Laden
Toal is an e-mail virus-worm. It uses ICQ White Pages to look for
e-mail addresses so the spreading is limited to ICQ users. It also
has functionality to spread trough local network but due to a
programming error the worm crashes when it tries to browse the
network.
The virus does not work on Windows NT system due to a Windows 9x/ME
specific property.
The origin is most likely Brasil (judging from the messages
it has inside). By the time of description creation the worm was
not in the wild.
The messages the worm sends have randomly chosen Subject: line
but the attachment name is fixed ('BINLADEN_BRASIL.EXE').
When the attachment is executed it infects 'hh.exe' (HTML Help
executable) and 'explorer.exe' in the windows directory. The
worm body is dropped to the Windows directory with a random
three character long name. This file is added to 'system.ini':
[boot]
shell=Explorer.exe XXX.exe
Payload
The worm does not have a destructive payload. After starting sometimes
it displays a message.
Removal instructions
Since the virus infects 'explorer.exe' that is always locked the
system must be cleaned from DOS.
The virus shares the C: drive with full access so that share has
to be removed.
[Analysis: Gergely Erdelyi; F-Secure Corp.; 24 of October, 2001]
