Alias:WORM_AURIC.E [Trend], I-Worm.Magold.e [KAV], W32/Magold-D [Sophos]
Type:Worm 
Size:238,592 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:High 

DistributionThe worm uses its own SMTP engine to send itself by email to all addresses found in Windows Address Book and in files that begin or end in "ht."

From: VALO VILAG%valovilag@rtlklub.hu%
Subject:

Videofelvetel Sziszi-rol!

Sziszi a Valo Vilag-ban!

Sziszi a zuhanyzoban!

Sziszi a Voros Demon!

Body:
Tisztelt Cím!
Az RTL KLUB jóvoltából Ön most részt vehet egy Internetes nyereményjátékban, ahol akár 10.000.000 Ft-ot is nyerhet.
Ehhez nem kell mást tenni, mint a levélhez csatolt flash-videót lefuttatni (ami Sziszi-t a Való Világ 2 sztárját mutatja be zuhanyzás közben), majd a film végén megjelenõ azonosítót visszaküldeni a valovilag@rtlklub.hu címre és Ön máris játékba került.
A sorsolás nyerteseit E-Mail-ben értesítjük 2003.06.30.-án.
Üdvözlettel: RTL KLUB - NA NÁ -

Attachment:
Sziszi_video.scr

Technical DetailsWorm/Magold.E.1 tries to terminate various programs, including antivirus software, containing the following strings:
VIR ANTI AFEE NORT PROT AV
and all processes with the file name containing:
VIR ANTI AFEE NORT PROT AV WINK

The worm also terminates the following processes:
MSCVB32.EXE
ISERVC.EXE
MSCCN32.EXE
WINGATE.EXE
WINEXE.EXE
WINRPC.EXE
SCAM32.EXE
SIRC32.EXE

When activated, the worm displays a "DirectX Error" false Window.
The worm copies itself as:
%WinDIR%\dreAd.exe
%WinDIR%\Maya Gold.scr
%WinDIR%\DreAd\Maya Gold.scr
%WinDIR%\Sziszi_video.exe
%WinDIR%\Sziszi_video.scr
%System%\Wdread.exe

It makes the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "raVe"="%WinDIR%\dreAd.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "raVe"="%WinDIR%\dreAd.exe"

And modifies the following:
HKEY_CLASSES_ROOT\exefile\shell\open\command %WinDIR%\dreAd.exe "%1" %*
HKEY_CLASSES_ROOT\comfile\shell\open\command %WinDIR%\dreAd.exe "%1" %*
HKEY_CLASSES_ROOT\batfile\shell\open\command %WinDIR%\dreAd.exe "%1" %*
HKEY_CLASSES_ROOT\piffile\shell\open\command %WinDIR%\dreAd.exe "%1" %*
HKEY_CLASSES_ROOT\scrfile\shell\open\command %WinDIR%\dreAd.exe "%1" %*

Thus, the worm is activated every time a file of the following types is opened: .exe .com .bat .pif. .scr

But the worm will not open a file with the name containing the following texts:
VI AV NORTON MCAFEE \STARTUP \IND

The worm starts the processes:
dreAd.exe
wdread.exe

It enters the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\dreAd
and it also makes the following entry:
HKEY_CURRENT_USER\SOFTWARE\Kazaa\Transfer "DlDir0"="%WinDIR%\dreAd"

If the worm can find the following directories, it copies itself in them, as Maya Gold.scr:
%ProgramFiles%\Limewire\Share
%ProgramFiles%\Gnucleus\Downloads
%ProgramFiles%\Gnucleus\Downloads\Incoming
%ProgramFiles%\Shareaza\Downloads
%ProgramFiles%\Bearshare\Shared
%ProgramFiles%\Edonkey2000\Incoming
%ProgramFiles%\Morpheus\My Shared Folder
%ProgramFiles%\Grokster\My Grokster
%ProgramFiles%\ICQ\Shared Files
%ProgramFiles%\Edonkey2000
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .