Threat Descriptons



Category :


Type :


Aliases :

Magold, Maya Gold, Auric


As a rather large virus (240KB UPX compressed), Magold.A contains lots of functionality. It attempts to spread over email, P2P networks and IRC chat. It might also print Hungarian text on printers.

UPDATE (2003-06-20 10:00 GMT)

A new variant of Magold (Magold.E) was found on June 20th 2003. For more information on Magold.E see at the bottom of the description.

UPDATE (2003-05-29 13:30 GMT)

A new Hungarian virus known as Magold was found in the wild on 29th of May, 2003.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details


The virus attempts to print a page with this text:


‰n a nyomtato vagyok, es arra szeretnelek megkerni, hogy beszelj m¡r a
Windows-zal, mert ez m¡r nem ¡llapot!!
Âllandoan a h¼lye kerdeseivel, kereseivel zaklat, 'Van meg
lapod?', 'Tudsz sznesen nyomtatni?', 'Ezt most fektetve
szeretnem!', 'Keszen ¡llsz m¡r?'.
Gondolom te is egyetertesz velem, hogy ez gy nem mehet tov¡bb! Valamit
tenni kell!


English translation:

I'm the printer and would like to ask you to talk to Windows because this
is getting out of hand. It is continuously bugging me with silly questions
like: 'Do you still have paper?', "Can you print in color?", "I'd like to
have this one in landscape mode.", "Are you ready?".

I think you agree with me that this can not go on like this any longer.
Regards, Your sympatethic, helpful friend: The Printer

The virus may spoof the sender address when it sends itself via email.

An example of an email sent by the worm:

Subject: Maya Gold-os kepernyokimelo!
Attachment: Maya Gold.scr
Tisztelt cm!
Az EROTIKA.LAP.HU nezettsegenek n¶velese erdekeben egy kis zeltµt
kv¡n adni kn¡lat¡bol az Internet felhaszn¡loknak!
FIGYELEM: A 'Maya Gold.scr' nev» csatolt ¡llom¡ny egy kepernyµvedµ.
Mint a neve is mutatja Maya Gold pornosznesznµrµl tartalmaz k¼l¶nb¶zµ kepeket.
Az ¡llom¡nyt aj¡nlott elµbb a lemezre menteni, majd ut¡na futtatni.
 Amennyiben valami problem¡ja, kerdese van, rjon a k¶vetkezµ c­re:
œdv¶zlettel: EROTIKA.LAP.HU

English translation:

Dear Recipient,
In order it increase the popularity of EROTIKA.LAP.HU we would like
provide you with a sample of our offers.
WARNING: The attached file 'Maya Gold.scr' is a screen saver.
As the name suggests it contains pictures of the porn actress Maya Gold.
In case you have a problem or question you can write to the following

The virus contains several references to x-rated web sites and to Hungarian porn actress, Ms. Maya Gold.

Symptoms created by the virus might include removal of anti-virus programs, creating lots of shortcuts to desktop and preventing mouse to be moved to certain portions of the screen.

Variant:Magold.E (I-Worm.Magold.e)

It copies itself to windows folder as:

  • dreAd.exe
  • Maya Gold.scr
  • dreAd\Maya Gold.scr

and under the System32 folder as

  • wdread.exe

It creates a key in the windows registry as:


to which it adds the following sub-keys:

  • datum
  • beepul
  • halozat
  • irc

for its own internal use.

It adds the following entry to:

  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] raVe = %windir%\dreAd.exe
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] raVe = %windir%\dreAd.exe

It modifies the following keys

  • HKLM\SOFTWARE\Classes\exefile\shell\open\command
  • HKLM\SOFTWARE\Classes\comfile\shell\open\command
  • HKLM\SOFTWARE\Classes\batfile\shell\open\command
  • HKLM\SOFTWARE\Classes\piffile\shell\open\command
  • HKLM\SOFTWARE\Classes\scrfile\shell\open\command

setting their values to

  • '%windir%\dreAd.exe "%1" %*'

so it is started every time that any of those file types is run. It spreads through shares copying itself as

  • Maya Gold.scr

in the root folder.

This variant attempts to terminate processes containing any of the following strings in their filenames:

  • VIR
  • ANTI
  • AFEE
  • NORT
  • PROT
  • AV
  • WINK
  • SCAM32.EXE
  • SIRC32.EXE

Some of the files names belong to other malware like Sobig.C , Lovgate, Sircam, Fizzer, Klez .

Magold.E spreads in email messages with the following characteristics:

From: "VALO VILAG" [] Subject: Sziszi, a voros demon!
or Subject: Sziszi a zuhanyzoban!
Body: Tisztelt C¡m!
Az RTL KLUB j¢voltb¢l „¢n most r€šszt vehet egy Internetes
nyerem€šnyjt€škban, ahol akr 10.000.000 Ft-ot is nyerhet.
Ehhez nem kell mst tenni, mint a lev€šlhez csatolt flash-vide¢t
lefuttatni (ami Sziszi-t a Val¢ Vilg 2 sztrjt mutatja be zuhanyzs
kâzben), majd a film v€šg€šn megjeleno azonos¡t¢t visszakÂldeni a c¡mre €šs „¢n mris jt€škba kerÂlt.
A sorsols nyerteseit email-ben €šrtes¡tjÂk 2003.06.30.-n.
zlettel: RTL KLUB - NA NA -Attachment: sziszi_video.exe

English translation:

Subject: Sziszi, the red haired vamp!
or Subject: Sziszi under the shower!
Dear Recipient!

Thanks to RTL Klub TV, you may participate in an Internet 	prize game, where you can win up to 10 million HUF. All you 	have to do is to run and watch the attached flash video 	(which shows Sziszi, the celebrity of "Valo Vilag 2" reality 	TV show, taking a shower). At the end, an ID code will be
displayed, just send it back in email to
[] and you become a participant right
away. Winners of the draw will be contacted in email on
June 30, 2003With kind regards: RTL KLUB - NANA TV

A registry fix is available at our ftp server which will fix entries added and modified by this worm:

Peace of mind against online threats

F-Secure Total is a security suite that protects all your phones and computers in real time, 24/7 and with award-winning accuracy. Read more about Total and try it free for 30 days, no credit card required.

More Support


Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.