Toal is an e-mail virus-worm. It uses ICQ White Pages to look for e-mail addresses so the spreading is limited to ICQ users. It also has functionality to spread trough local network but due to a programming error the worm crashes when it tries to browse the network.
The virus does not work on Windows NT system due to a Windows 9x/ME specific property.
The origin is most likely Brasil (judging from the messages it has inside). By the time of description creation the worm was not in the wild.
Disinfection & Removal
Since the virus infects 'explorer.exe' that is always locked the system must be cleaned from DOS.
The virus shares the C: drive with full access so that share has to be removed.
The messages the worm sends have randomly chosen Subject: line but the attachment name is fixed ('BINLADEN_BRASIL.EXE').
When the attachment is executed it infects 'hh.exe' (HTML Help executable) and 'explorer.exe' in the windows directory. The worm body is dropped to the Windows directory with a random three character long name. This file is added to 'system.ini':
[boot] shell=Explorer.exe XXX.exe
The worm does not have a destructive payload. After starting sometimes it displays a message.
Technical Details: Gergely Erdelyi; F-Secure Corp.; 24 of October, 2001