Content

W32/Auric@MM

Type
Virus
SubType
Internet Worm
Discovery Date
05/29/2003
Length
622,592 bytes or UPXed - 240,640 bytes
Minimum DAT
4269 (06/04/2003)
Updated DAT
4272 (06/18/2003)
Minimum Engine
5.1.00
Description Added
05/29/2003
Description Modified
06/25/2003 10:41 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update June 25, 2003 --
This threat was updated to a Low-Profiled risk due to media attention at: http://silicon.com/news/500013/1/4849.html

When the virus is executed it will display the following message:

  • Email characterisitics are as follows:

      From: EROTIKA.LAP.HU
      Subject: Maya Gold-os kepernyokimelo!

    The body of the Email is in Hungarian.

    An additional message with the details of the infected system is sent to the following email address:

    'rave-punk@freemail.hu'

    The message body is as follows:

    Email addresses are gathered from within files of extension .ht*.

  • Various Antivirus products are disabled.

  • It invokes Internet Explorer and attempts to launch the following website
      'www.offsprings.com'.
  • Several files are dropped on to the desktop.

    • Symptoms

  • Presence of raVe.exe file
  • Presence of RAVE*.txt files on the Desktop
  • Registry modifications as described below

    • Method of Infection

    When the attachment is double-clicked on the worm runs and displays a fake error message. It copies itself into the Windows folder under name "raVe.exe" and registers itself to run after any restart.

    The worm also installs a reference to "raVe.exe" into the following keys:

    HKEY_CLASSES_ROOT\batfile\shell\open\command
    HKEY_CLASSES_ROOT\exefile\shell\open\command
    HKEY_CLASSES_ROOT\comfile\shell\open\command
    HKEY_CLASSES_ROOT\piffile\shell\open\command
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    These keys define what is executed when corresponding files are double clicked. So if a manual removal is attempted and RAVE.EXE is deleted - the system will not be usable as correct association will be lost.

    The worm can also spread through P2P file-sharing (Kazaa, eDonkey, Bearshare, Shareaza, Gnucleus, Limewire, Morpheus, Grokster), ICQ sharing and IRC (as "Maya Gold.scr").

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases

    • I-Worm.Magold (VBuster)

    Characteristics

    Characteristics -

    -- Update June 25, 2003 --
    This threat was updated to a Low-Profiled risk due to media attention at: http://silicon.com/news/500013/1/4849.html

    When the virus is executed it will display the following message:

  • Email characterisitics are as follows:

      From: EROTIKA.LAP.HU
      Subject: Maya Gold-os kepernyokimelo!

    The body of the Email is in Hungarian.

    An additional message with the details of the infected system is sent to the following email address:

    'rave-punk@freemail.hu'

    The message body is as follows:

    Email addresses are gathered from within files of extension .ht*.

  • Various Antivirus products are disabled.

  • It invokes Internet Explorer and attempts to launch the following website
      'www.offsprings.com'.
  • Several files are dropped on to the desktop.

    • Symptoms

    Symptoms -

  • Presence of raVe.exe file
  • Presence of RAVE*.txt files on the Desktop
  • Registry modifications as described below

    • Method of Infection

    Method of Infection -

    When the attachment is double-clicked on the worm runs and displays a fake error message. It copies itself into the Windows folder under name "raVe.exe" and registers itself to run after any restart.

    The worm also installs a reference to "raVe.exe" into the following keys:

    HKEY_CLASSES_ROOT\batfile\shell\open\command
    HKEY_CLASSES_ROOT\exefile\shell\open\command
    HKEY_CLASSES_ROOT\comfile\shell\open\command
    HKEY_CLASSES_ROOT\piffile\shell\open\command
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    These keys define what is executed when corresponding files are double clicked. So if a manual removal is attempted and RAVE.EXE is deleted - the system will not be usable as correct association will be lost.

    The worm can also spread through P2P file-sharing (Kazaa, eDonkey, Bearshare, Shareaza, Gnucleus, Limewire, Morpheus, Grokster), ICQ sharing and IRC (as "Maya Gold.scr").

    Removal -

    Removal -

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A