LHRIC > Technical Services > Virus Alert

	TECHNICAL SERVICES
	home \| search \| contact \| Virus Central
	Providing timely, reliable & cost-effective technical support

Virus Central - Detailed

Virus Information
Name:	W32.Maldal.C@mm
Aliases:	W32.Zacker.C@mm, W32.Reeezak.A@mm
Type:	Worm
Discovery Date:	December 19, 2001
Detection:
Virus Description:	W32.Maldal.C@mm is a mass-mailing worm that is written in Visual Basic. The worm uses Microsoft Outlook to spread its infection. It also modifies your Internet Explorer home page. (see Virus Effects)
E-mail Subject:	Happy New Year
E-mail Body:	Hii I can't describe my feelings But all i can say is Happy New Year :) bye
Attachment:	Christmas.exe

Virus Effects:

It then changes the name of the computer to Zacker by modifying the value of:
ComputerName to Zacker in the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

It also adds the value Zacker %SYSTEM%\Christmas.exe

to the registry key

HKEY_LOCAL_MACHINE\\Software\Microsoft\Windows\CurrentVersion\Run

so that the worm runs each time that you start Windows.

Next, the worm changes your Internet Explorer home page a malicious page that was created by the author of the worm. This page will be detected as JS.Exception.Exploit, even when using virus definitions dated prior to the December 18, 2001.

Next, the worm will display a windows with the text: "From the heart. Happy new year !"

Finally, the worm disables the keyboard. This means that the keyboard cannot be used until the computer is restarted without the worm being executed.

The Webpage
The webpage that this worm sets as the Internet Explorer start page is malicious. When visited, it contains code that will create the file %Windows%\Rol.vbs. This file will then be executed.

Rol.vbs
When this Visual Basic script is executed, it does the following:

1. Sets the Internet Explorer home page to a page that contains a shockwave flash video.
2. Copies itself to %SYSTEM%\Zacker.vbs.

NOTE: %System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

3. Creates the file %SYSTEM%\Dalal.htm. This page contains a string that will be appended to .html. .htm, and .asp files.
4. Deletes several antivirus and security products. Norton Antivirus will be deleted if it is located in \Program Files\Norton Antivirus (on any drive).
5. Infects .html. .htm, and .asp files.
6. Overwrites files that have the following extensions:

.lnk, .zip, .jpg, .jpeg, .mpg, .mpeg, .doc, .xls, .mdb, .txt, .ppt, .pps, .ram, .rm, .mp3, .mdb, or .swf

with a copy of Zacker.vbs.

7. If Mirc.ini is found, all .ini files in that folder will be overwritten with a string that will cause an infected computer to send the URL to other users over the IRC network.

8. Finally, the worm will display a political message and attempt to exit Windows.

Removal Instructions:

To remove this worm, delete files that are detected as W32.Maldal.C@mm or JS.Exception.Exploit, repair files detected as W32.Maldal.C@mm(html), and reverse the changes that it made to the registry.

To remove the worm files:

How to configure Norton AntiVirus to scan all files

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed. This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002.

HKEY_LOCAL_MACHINE\\Software\Microsoft\Windows\CurrentVersion\Run

Zacker %SYSTEM%\Christmas.exe

Top