Summary
As a rather large virus (240KB UPX compressed), Magold.A contains lots of functionality. It attempts to spread over email, P2P networks and IRC chat. It might also print Hungarian text on printers.
UPDATE (2003-06-20 10:00 GMT)
A new variant of Magold (Magold.E) was found on June 20th 2003. For more information on Magold.E see at the bottom of the description.
UPDATE (2003-05-29 13:30 GMT)
A new Hungarian virus known as Magold was found in the wild on 29th of May, 2003.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
- Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
- Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
- Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Variant:Magold.A
The virus attempts to print a page with this text:
SEGTS NEKEM!!! n a nyomtato vagyok, es arra szeretnelek megkerni, hogy beszelj mr a Windows-zal, mert ez mr nem 1llapot!! llandoan a hlye kerdeseivel, kereseivel zaklat, 'Van meg lapod?', 'Tudsz sznesen nyomtatni?', 'Ezt most fektetve szeretnem!', 'Keszen llsz mr?'. Gondolom te is egyetertesz velem, hogy ez gy nem mehet tovbb! Valamit tenni kell! DV-ZLETTEL MEGRT S SEGTKSZ BARTOD: A NYOMTAT" PUNK'S NOT DEAD =:-) =:-) =:-) =:-) ...
English translation:
HELP ME! I'm the printer and would like to ask you to talk to Windows because this is getting out of hand. It is continuously bugging me with silly questions like: 'Do you still have paper?', "Can you print in color?", "I'd like to have this one in landscape mode.", "Are you ready?". I think you agree with me that this can not go on like this any longer. Regards, Your sympatethic, helpful friend: The Printer
The virus may spoof the sender address when it sends itself via email.
An example of an email sent by the worm:
From: erotika@lap.hu Subject: Maya Gold-os kepernyokimelo! Attachment: Maya Gold.scr Tisztelt cm! Az EROTIKA.LAP.HU nezettsegenek nvelese erdekeben egy kis zeltt kvn adni knlatbol az Internet felhasznloknak! FIGYELEM: A 'Maya Gold.scr' nev csatolt llomny egy kepernyved. Mint a neve is mutatja Maya Gold pornosznesznrl tartalmaz knbz kepeket. Az llomnyt ajnlott elbb a lemezre menteni, majd utna futtatni. Amennyiben valami problemja, kerdese van, rjon a kvetkez cre: erotika@lap.hu dvzlettel: EROTIKA.LAP.HU
English translation:
Dear Recipient, In order it increase the popularity of EROTIKA.LAP.HU we would like provide you with a sample of our offers. WARNING: The attached file 'Maya Gold.scr' is a screen saver. As the name suggests it contains pictures of the porn actress Maya Gold. In case you have a problem or question you can write to the following address: erotika@lap.hu Regards, EROTIKA.LAP.HU
The virus contains several references to x-rated web sites and to Hungarian porn actress, Ms. Maya Gold.
Symptoms created by the virus might include removal of anti-virus programs, creating lots of shortcuts to desktop and preventing mouse to be moved to certain portions of the screen.
Variant:Magold.E (I-Worm.Magold.e)
It copies itself to windows folder as:
- dreAd.exe
- Maya Gold.scr
- dreAd\Maya Gold.scr
and under the System32 folder as
- wdread.exe
It creates a key in the windows registry as:
- [HKLM\SOFTWARE\dreAd]
to which it adds the following sub-keys:
- datum
- beepul
- halozat
- irc
for its own internal use.
It adds the following entry to:
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] raVe = %windir%\dreAd.exe
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] raVe = %windir%\dreAd.exe
It modifies the following keys
- HKLM\SOFTWARE\Classes\exefile\shell\open\command
- HKLM\SOFTWARE\Classes\comfile\shell\open\command
- HKLM\SOFTWARE\Classes\batfile\shell\open\command
- HKLM\SOFTWARE\Classes\piffile\shell\open\command
- HKLM\SOFTWARE\Classes\scrfile\shell\open\command
setting their values to
- '%windir%\dreAd.exe "%1" %*'
so it is started every time that any of those file types is run. It spreads through shares copying itself as
- Maya Gold.scr
in the root folder.
This variant attempts to terminate processes containing any of the following strings in their filenames:
- VIR
- ANTI
- AFEE
- NORT
- PROT
- AV
- MSCVB32.EXE
- ISERVC.EXE
- WINK
- MSCCN32.EXE
- WINGATE.EXE
- WINEXE.EXE
- WINRPC.EXE
- SCAM32.EXE
- SIRC32.EXE
Some of the files names belong to other malware like Sobig.C , Lovgate, Sircam, Fizzer, Klez .
Magold.E spreads in email messages with the following characteristics:
From: "VALO VILAG" [valovilag@rtlklub.hu] Subject: Sziszi, a voros demon! or Subject: Sziszi a zuhanyzoban! Body: Tisztelt C m! Az RTL KLUB jvoltbl n most rszt vehet egy Internetes nyeremnyjtkban, ahol akr 10.000.000 Ft-ot is nyerhet. Ehhez nem kell mst tenni, mint a levlhez csatolt flash-videt lefuttatni (ami Sziszi-t a Val Vilg 2 sztrjt mutatja be zuhanyzs kzben), majd a film vgn megjeleno azonostt visszakldeni a valovilag@rtlklub.hu cmre sn mris jtkba kerlt. A sorsols nyerteseit email-ben rtestjk 2003.06.30.-n. zlettel: RTL KLUB - NA NA -Attachment: sziszi_video.exe
English translation:
Subject: Sziszi, the red haired vamp! or Subject: Sziszi under the shower! Body: Dear Recipient! Thanks to RTL Klub TV, you may participate in an Internet prize game, where you can win up to 10 million HUF. All you have to do is to run and watch the attached flash video (which shows Sziszi, the celebrity of "Valo Vilag 2" reality TV show, taking a shower). At the end, an ID code will be displayed, just send it back in email to [valovilag@rtlklub.hu] and you become a participant right away. Winners of the draw will be contacted in email on June 30, 2003With kind regards: RTL KLUB - NANA TV
A registry fix is available at our ftp server which will fix entries added and modified by this worm:
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.