As a rather large virus (240KB UPX compressed), Magold.A contains lots of functionality. It attempts to spread over email, P2P networks and IRC chat. It might also print Hungarian text on printers.
A new variant of Magold (Magold.E) was found on June 20th 2003. For more information on Magold.E see at the bottom of the description.
A new Hungarian virus known as Magold was found in the wild on 29th of May, 2003.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
The virus attempts to print a page with this text:
SEGTS NEKEM!!! ‰n a nyomtato vagyok, es arra szeretnelek megkerni, hogy beszelj m¡r a Windows-zal, mert ez m¡r nem ¡llapot!! llandoan a h¼lye kerdeseivel, kereseivel zaklat, 'Van meg lapod?', 'Tudsz sznesen nyomtatni?', 'Ezt most fektetve szeretnem!', 'Keszen ¡llsz m¡r?'. Gondolom te is egyetertesz velem, hogy ez gy nem mehet tov¡bb! Valamit tenni kell! œDV–ZLETTEL MEG‰RT• ‰S SEGT•K‰SZ BARTOD: A NYOMTAT“ PUNK'S NOT DEAD =:-) =:-) =:-) =:-) ...
HELP ME! I'm the printer and would like to ask you to talk to Windows because this is getting out of hand. It is continuously bugging me with silly questions like: 'Do you still have paper?', "Can you print in color?", "I'd like to have this one in landscape mode.", "Are you ready?". I think you agree with me that this can not go on like this any longer. Regards, Your sympatethic, helpful friend: The Printer
The virus may spoof the sender address when it sends itself via email.
An example of an email sent by the worm:
From: email@example.com Subject: Maya Gold-os kepernyokimelo! Attachment: Maya Gold.scr Tisztelt cm! Az EROTIKA.LAP.HU nezettsegenek n¶velese erdekeben egy kis zeltµt kv¡n adni kn¡lat¡bol az Internet felhaszn¡loknak! FIGYELEM: A 'Maya Gold.scr' nev» csatolt ¡llom¡ny egy kepernyµvedµ. Mint a neve is mutatja Maya Gold pornosznesznµrµl tartalmaz k¼l¶nb¶zµ kepeket. Az ¡llom¡nyt aj¡nlott elµbb a lemezre menteni, majd ut¡na futtatni. Amennyiben valami problem¡ja, kerdese van, rjon a k¶vetkezµ cmre: firstname.lastname@example.org œdv¶zlettel: EROTIKA.LAP.HU
Dear Recipient, In order it increase the popularity of EROTIKA.LAP.HU we would like provide you with a sample of our offers. WARNING: The attached file 'Maya Gold.scr' is a screen saver. As the name suggests it contains pictures of the porn actress Maya Gold. In case you have a problem or question you can write to the following address: email@example.com Regards, EROTIKA.LAP.HU
The virus contains several references to x-rated web sites and to Hungarian porn actress, Ms. Maya Gold.
Symptoms created by the virus might include removal of anti-virus programs, creating lots of shortcuts to desktop and preventing mouse to be moved to certain portions of the screen.
It copies itself to windows folder as:
and under the System32 folder as
It creates a key in the windows registry as:
to which it adds the following sub-keys:
for its own internal use.
It adds the following entry to:
It modifies the following keys
setting their values to
so it is started every time that any of those file types is run. It spreads through shares copying itself as
in the root folder.
This variant attempts to terminate processes containing any of the following strings in their filenames:
Some of the files names belong to other malware like Sobig.C , Lovgate, Sircam, Fizzer, Klez .
Magold.E spreads in email messages with the following characteristics:
From: "VALO VILAG" [firstname.lastname@example.org] Subject: Sziszi, a voros demon! or Subject: Sziszi a zuhanyzoban! Body: Tisztelt C¡m! Az RTL KLUB j¢voltb¢l „¢n most r€šszt vehet egy Internetes nyerem€šnyjt€škban, ahol akr 10.000.000 Ft-ot is nyerhet. Ehhez nem kell mst tenni, mint a lev€šlhez csatolt flash-vide¢t lefuttatni (ami Sziszi-t a Val¢ Vilg 2 sztrjt mutatja be zuhanyzs k€zben), majd a film v€šg€šn megjeleno azonos¡t¢t visszakldeni a email@example.com c¡mre €šs „¢n mris jt€škba kerlt. A sorsols nyerteseit email-ben €šrtes¡tjk 2003.06.30.-n. Å¡dv€zlettel: RTL KLUB - NA NA -Attachment: sziszi_video.exe
Subject: Sziszi, the red haired vamp! or Subject: Sziszi under the shower! Body: Dear Recipient! Thanks to RTL Klub TV, you may participate in an Internet prize game, where you can win up to 10 million HUF. All you have to do is to run and watch the attached flash video (which shows Sziszi, the celebrity of "Valo Vilag 2" reality TV show, taking a shower). At the end, an ID code will be displayed, just send it back in email to [firstname.lastname@example.org] and you become a participant right away. Winners of the draw will be contacted in email on June 30, 2003With kind regards: RTL KLUB - NANA TV
A registry fix is available at our ftp server which will fix entries added and modified by this worm: