Magold

Variant:Magold.A

The virus attempts to print a page with this text:

SEGTS NEKEM!!! n a nyomtato vagyok, es arra szeretnelek megkerni, hogy beszelj mr a Windows-zal, mert ez mr nem 1llapot!! llandoan a hlye kerdeseivel, kereseivel zaklat, 'Van meg lapod?', 'Tudsz sznesen nyomtatni?', 'Ezt most fektetve szeretnem!', 'Keszen llsz mr?'. Gondolom te is egyetertesz velem, hogy ez gy nem mehet tovbb! Valamit tenni kell! DV-ZLETTEL MEGRT S SEGTKSZ BARTOD: A NYOMTAT" PUNK'S NOT DEAD =:-) =:-) =:-) =:-) ...

English translation:

HELP ME! I'm the printer and would like to ask you to talk to Windows because this is getting out of hand. It is continuously bugging me with silly questions like: 'Do you still have paper?', "Can you print in color?", "I'd like to have this one in landscape mode.", "Are you ready?". I think you agree with me that this can not go on like this any longer. Regards, Your sympatethic, helpful friend: The Printer

The virus may spoof the sender address when it sends itself via email.

An example of an email sent by the worm:

From: erotika@lap.hu Subject: Maya Gold-os kepernyokimelo! Attachment: Maya Gold.scr Tisztelt cm! Az EROTIKA.LAP.HU nezettsegenek nvelese erdekeben egy kis zeltt kvn adni knlatbol az Internet felhasznloknak! FIGYELEM: A 'Maya Gold.scr' nev csatolt llomny egy kepernyved. Mint a neve is mutatja Maya Gold pornosznesznrl tartalmaz knbz kepeket. Az llomnyt ajnlott elbb a lemezre menteni, majd utna futtatni. Amennyiben valami problemja, kerdese van, rjon a kvetkez cre: erotika@lap.hu dvzlettel: EROTIKA.LAP.HU

English translation:

Dear Recipient, In order it increase the popularity of EROTIKA.LAP.HU we would like provide you with a sample of our offers. WARNING: The attached file 'Maya Gold.scr' is a screen saver. As the name suggests it contains pictures of the porn actress Maya Gold. In case you have a problem or question you can write to the following address: erotika@lap.hu Regards, EROTIKA.LAP.HU

The virus contains several references to x-rated web sites and to Hungarian porn actress, Ms. Maya Gold.

Symptoms created by the virus might include removal of anti-virus programs, creating lots of shortcuts to desktop and preventing mouse to be moved to certain portions of the screen.

Variant:Magold.E (I-Worm.Magold.e)

It copies itself to windows folder as:

• dreAd.exe
• Maya Gold.scr
• dreAd\Maya Gold.scr

and under the System32 folder as

• wdread.exe

It creates a key in the windows registry as:

• [HKLM\SOFTWARE\dreAd]

to which it adds the following sub-keys:

• datum
• beepul
• halozat
• irc

for its own internal use.

It adds the following entry to:

• [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] raVe = %windir%\dreAd.exe
• [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] raVe = %windir%\dreAd.exe

It modifies the following keys

• HKLM\SOFTWARE\Classes\exefile\shell\open\command
• HKLM\SOFTWARE\Classes\comfile\shell\open\command
• HKLM\SOFTWARE\Classes\batfile\shell\open\command
• HKLM\SOFTWARE\Classes\piffile\shell\open\command
• HKLM\SOFTWARE\Classes\scrfile\shell\open\command

setting their values to

• '%windir%\dreAd.exe "%1" %*'

so it is started every time that any of those file types is run. It spreads through shares copying itself as

• Maya Gold.scr

in the root folder.

This variant attempts to terminate processes containing any of the following strings in their filenames:

• VIR
• ANTI
• AFEE
• NORT
• PROT
• AV
• MSCVB32.EXE
• ISERVC.EXE
• WINK
• MSCCN32.EXE
• WINGATE.EXE
• WINEXE.EXE
• WINRPC.EXE
• SCAM32.EXE
• SIRC32.EXE

Some of the files names belong to other malware like Sobig.C , Lovgate, Sircam, Fizzer, Klez .

Magold.E spreads in email messages with the following characteristics:

From: "VALO VILAG" [valovilag@rtlklub.hu] Subject: Sziszi, a voros demon! or Subject: Sziszi a zuhanyzoban! Body: Tisztelt C m! Az RTL KLUB jvoltbl n most rszt vehet egy Internetes nyeremnyjtkban, ahol akr 10.000.000 Ft-ot is nyerhet. Ehhez nem kell mst tenni, mint a levlhez csatolt flash-videt lefuttatni (ami Sziszi-t a Val Vilg 2 sztrjt mutatja be zuhanyzs kzben), majd a film vgn megjeleno azonostt visszakldeni a valovilag@rtlklub.hu cmre sn mris jtkba kerlt. A sorsols nyerteseit email-ben rtestjk 2003.06.30.-n. zlettel: RTL KLUB - NA NA -Attachment: sziszi_video.exe

English translation:

Subject: Sziszi, the red haired vamp! or Subject: Sziszi under the shower! Body: Dear Recipient! Thanks to RTL Klub TV, you may participate in an Internet prize game, where you can win up to 10 million HUF. All you have to do is to run and watch the attached flash video (which shows Sziszi, the celebrity of "Valo Vilag 2" reality TV show, taking a shower). At the end, an ID code will be displayed, just send it back in email to [valovilag@rtlklub.hu] and you become a participant right away. Winners of the draw will be contacted in email on June 30, 2003With kind regards: RTL KLUB - NANA TV

A registry fix is available at our ftp server which will fix entries added and modified by this worm:

ftp://ftp.f-secure.com/anti-virus/tools/magold_fix.reg

ftp://ftp.f-secure.com/anti-virus/tools/magold_fix.txt