As a rather large virus (240KB UPX compressed), Magold.A contains lots of functionality. It attempts to spread over e-mail, P2P networks and IRC chat. It might also print Hungarian text on printers.
A new variant of Magold (Magold.E) was found on June 20th 2003. For more information on Magold.E see at the bottom of the description.
A new Hungarian virus known as Magold was found in the wild on 29th of May, 2003.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
The virus attempts to print a page with this text:
SEGTS NEKEM!!! ‰n a nyomtato vagyok, es arra szeretnelek megkerni, hogy beszelj m¡r a Windows-zal, mert ez m¡r nem ¡llapot!! llandoan a h¼lye kerdeseivel, kereseivel zaklat, 'Van meg lapod?', 'Tudsz sznesen nyomtatni?', 'Ezt most fektetve szeretnem!', 'Keszen ¡llsz m¡r?'. Gondolom te is egyetertesz velem, hogy ez gy nem mehet tov¡bb! Valamit tenni kell! œDV–ZLETTEL MEG‰RT• ‰S SEGT•K‰SZ BARTOD: A NYOMTAT“ PUNK'S NOT DEAD =:-) =:-) =:-) =:-) ...
HELP ME! I'm the printer and would like to ask you to talk to Windows because this is getting out of hand. It is continuously bugging me with silly questions like: 'Do you still have paper?', "Can you print in color?", "I'd like to have this one in landscape mode.", "Are you ready?". I think you agree with me that this can not go on like this any longer. Regards, Your sympatethic, helpful friend: The Printer
The virus may spoof the sender address when it sends itself via e-mail.
An example of an e-mail sent by the worm:
From: email@example.com Subject: Maya Gold-os kepernyokimelo! Attachment: Maya Gold.scr Tisztelt cm! Az EROTIKA.LAP.HU nezettsegenek n¶velese erdekeben egy kis zeltµt kv¡n adni kn¡lat¡bol az Internet felhaszn¡loknak! FIGYELEM: A 'Maya Gold.scr' nev» csatolt ¡llom¡ny egy kepernyµvedµ. Mint a neve is mutatja Maya Gold pornosznesznµrµl tartalmaz k¼l¶nb¶zµ kepeket. Az ¡llom¡nyt aj¡nlott elµbb a lemezre menteni, majd ut¡na futtatni. Amennyiben valami problem¡ja, kerdese van, rjon a k¶vetkezµ cmre: firstname.lastname@example.org œdv¶zlettel: EROTIKA.LAP.HU
Dear Recipient, In order it increase the popularity of EROTIKA.LAP.HU we would like provide you with a sample of our offers. WARNING: The attached file 'Maya Gold.scr' is a screen saver. As the name suggests it contains pictures of the porn actress Maya Gold. In case you have a problem or question you can write to the following address: email@example.com Regards, EROTIKA.LAP.HU
The virus contains several references to x-rated web sites and to Hungarian porn actress, Ms. Maya Gold.
Symptoms created by the virus might include removal of anti-virus programs, creating lots of shortcuts to desktop and preventing mouse to be moved to certain portions of the screen.
It copies itself to windows folder as:
and under the System32 folder as
It creates a key in the windows registry as:
to which it adds the following sub-keys:
for its own internal use.
It adds the following entry to:
It modifies the following keys
setting their values to
so it is started every time that any of those file types is run. It spreads through shares copying itself as
in the root folder.
This variant attempts to terminate processes containing any of the following strings in their filenames:
Some of the files names belong to other malware like Sobig.C , Lovgate, Sircam, Fizzer, Klez .
Magold.E spreads in e-mail messages with the following characteristics:
From: "VALO VILAG" [firstname.lastname@example.org] Subject: Sziszi, a voros demon! or Subject: Sziszi a zuhanyzoban! Body: Tisztelt C¡m! Az RTL KLUB j¢voltb¢l „¢n most r€šszt vehet egy Internetes nyerem€šnyjt€škban, ahol akr 10.000.000 Ft-ot is nyerhet. Ehhez nem kell mst tenni, mint a lev€šlhez csatolt flash-vide¢t lefuttatni (ami Sziszi-t a Val¢ Vilg 2 sztrjt mutatja be zuhanyzs k€zben), majd a film v€šg€šn megjeleno azonos¡t¢t visszakldeni a email@example.com c¡mre €šs „¢n mris jt€škba kerlt. A sorsols nyerteseit E-Mail-ben €šrtes¡tjk 2003.06.30.-n. Å¡dv€zlettel: RTL KLUB - NA NA -Attachment: sziszi_video.exe
Subject: Sziszi, the red haired vamp! or Subject: Sziszi under the shower! Body: Dear Recipient! Thanks to RTL Klub TV, you may participate in an Internet prize game, where you can win up to 10 million HUF. All you have to do is to run and watch the attached flash video (which shows Sziszi, the celebrity of "Valo Vilag 2" reality TV show, taking a shower). At the end, an ID code will be displayed, just send it back in e-mail to [firstname.lastname@example.org] and you become a participant right away. Winners of the draw will be contacted in e-mail on June 30, 2003With kind regards: RTL KLUB - NANA TV
A registry fix is available at our ftp server which will fix entries added and modified by this worm:
F-Secure Anti-Virus detects Magold.A worm with the updates published on May 29th, 2003:
F-Secure Anti-Virus detects Magold.E worm with the updates published on June 20th, 2003: