Threat Descriptons



Category :


Type :


Aliases :



Toal is an email virus-worm. It uses ICQ White Pages to look for email addresses so the spreading is limited to ICQ users. It also has functionality to spread trough local network but due to a programming error the worm crashes when it tries to browse the network.


Since the virus infects 'explorer.exe' that is always locked the system must be cleaned from DOS. The virus shares the C: drive with full access so that share has to be removed.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The virus does not work on Windows NT system due to a Windows 9x/ME specific property.

The origin is most likely Brasil (judging from the messages it has inside). By the time of description creation the worm was not in the wild.

The messages the worm sends have randomly chosen Subject: line but the attachment name is fixed ('BINLADEN_BRASIL.EXE').

When the attachment is executed it infects 'hh.exe' (HTML Help executable) and 'explorer.exe' in the windows directory. The worm body is dropped to the Windows directory with a random three character long name. This file is added to 'system.ini':

shell=Explorer.exe XXX.exe


The worm does not have a destructive payload. After starting sometimes it displays a message.

More Support


Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.