Threat Description

Toal

Details

Aliases:Toal, Win95/Toal@mm, I-Worm.Toil, BinLaden, Bin Laden, Osama Bin Laden
Category:Malware
Type:Worm
Platform:W32

Summary



Toal is an e-mail virus-worm. It uses ICQ White Pages to look for e-mail addresses so the spreading is limited to ICQ users. It also has functionality to spread trough local network but due to a programming error the worm crashes when it tries to browse the network.

The virus does not work on Windows NT system due to a Windows 9x/ME specific property.

The origin is most likely Brasil (judging from the messages it has inside). By the time of description creation the worm was not in the wild.



Removal



Since the virus infects 'explorer.exe' that is always locked the system must be cleaned from DOS.

The virus shares the C: drive with full access so that share has to be removed.



Technical Details



The messages the worm sends have randomly chosen Subject: line but the attachment name is fixed ('BINLADEN_BRASIL.EXE').

When the attachment is executed it infects 'hh.exe' (HTML Help executable) and 'explorer.exe' in the windows directory. The worm body is dropped to the Windows directory with a random three character long name. This file is added to 'system.ini':

[boot]
 shell=Explorer.exe XXX.exe

Payload

The worm does not have a destructive payload. After starting sometimes it displays a message.





Technical Details: Gergely Erdelyi; F-Secure Corp.; 24 of October, 2001


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More