Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/McMaggot.A
Date discovered:04/12/2008
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:449.024 Bytes
MD5 checksum:0Aa203943d1e264973b2993ca09ef4c3
IVDF version:7.01.00.184 - Thursday, December 4, 2008

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Ackantta@mm
   •  Mcafee: W32/Xirtem@MM virus !!!
   •  Kaspersky: Trojan-Banker.Win32.Banker.abbi
   •  Grisoft: Downloader.Agent.APQJ
   •  Bitdefender: Win32.Worm.McMaggot.A

It was previously detected as:
   •  TR/Dropper.Gen


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\vxworks.exe



The following file is created:

%SYSDIR%\qnx.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/McMaggot.A

 Registry One of the following values is added in order to run the process after reboot:

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • Wind River Systems"="c:\windows\\system32\\vxworks.exe



The following registry keys are changed:

– HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List
   New value:
   • c:\windows\\system32\\vxworks.exe"="c:\windows\\system32\\vxworks.exe:*:Enabled:Explorer

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
The sender of the email is one of the following:
   • giveaway@mcdonalds.com
   • noreply@coca-cola.com
   • postcards@hallmark.com


Subject:
One of the following:
   • Coca Cola is proud to accounce our new Christmas Promotion.
   • Mcdonalds wishes you Merry Christmas!
   • You've received A Hallmark E-Card!



Attachment:
The filename of the attachment is one of the following:
   • coupon.zip
   • postcard.zip
   • promotion.zip

The attachment is an archive containing a copy of the malware itself.



 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Alexander Neth on Thursday, December 4, 2008
Description updated by Alexander Neth on Thursday, December 4, 2008

Back . . . .