McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Maldal.D@mm (NAV)

• W32/Maldal-G (Sophos)

• W32/Maldal.G (Panda)

• W32/Maldal.gen@MM

• W32/Maldal.H-mm (Message Labs)

• Win32.Maldal.D (CA)

• Win32.Maldal.E (CA)

• WORM_MALDAL.D (Trend)

• WORM_MALDAL.E (Trend)

Characteristics

--- Update 1/2/2002 ---
Avert has received several samples of a new variant of W32/Maldal.d@MM. The new variant is 27,648 bytes in length and functions as specified below. It is detected as W32/Maldal.gen@MM with the 4179 DATs.

--- Update 12/30/2001 ---
Avert has only received a few samples of this threat and considers it to be a low risk.

This mass-mailing worm gathers email addresses from cached web pages and the Outlook Address book, and deletes files and security software. It arrives in a email message containing the following random information:

Subject: %Computer Name%
The computer name is changed to ZaCker by the virus, but email messages are likely to go out with the existing computer name as the subject line prior to change taking effect. After the name change the subject is ZaCker

Body: Test this game body
or Body: I wish u like it
or Body: I have got this file for you
or Body: Surprise !!!
or Body: download this game & have fun ;)
or Body: desktop maker ,you may need it ;)
or Body: have you ever got a gift !?
or Body: What women wants !
or Body: Don't waste any time ,Subscribe now
or Body: Make your pc funny !
or Body: new program from my fun groups
or Body: Map of the world
or Body: Create your Ecard ( looooooooooooooooool
or Body: Send it to everybody you love
or Body: Its made by me ;)
or Body: Our symbol
or Body: If you have an elegant taste
or Body: Test your mind
or Body: 1 + 1 = 3 !!!
or Body: See this file
or Body: Singer , searsh for any song and sing ;)
or Body: For everybody wants to marry a woman that he doesn't love !
or Body: nowadays , there is no womanhood !! :P
or Body: Just Try to fix it
or Body: Keep these advertisements run and earn 0.25 $ per 10 minute ;)

Attachment: %ComputerName%.exe
Again, the computer name is changed to ZaCker by the virus, but email messages are likely to go out with the existing computer name as the attachment name prior to change taking effect. After the name change the attached file is namedZaCker.exe

When the attachment is run, a fake error message is displayed:

The worm copies itself to the WINDOWS SYSTEM directory as WIN.EXE and creates a registry run key to load itself at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
run\System

Cached web pages are scanned and email addresses are gathered from them, which the worm uses to send itself to using MAPI messaging. The worm also sends itself to all Outlook Address book recipients.

The computer name is set to ZaCker through the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
ComputerName\ComputerName\ComputerName=ZaCker

The following files are deleted:

eSafe\Protect\*.*
F Program Files\McAfeeVirusScan95\*.*
PC-Cillin 95\*.*
PC-Cillin 97\*.*
Program Files\FindVirus\*.*
Program Files\FWIN32\*.*
Program Files\Norton AntiVirus\*.*
Program Files\Quick Heal\*.*
Program Files\Zone Labs
Program Files\AntiViral ToolkitPro\*.*
Program Files\Command Software\F-PROT95\*.* "
Program Files\Zone Labs\*.*
rescue\*.*
TBAVW95\*.*
Toolkit\FindVirus\*.*
f-macro\*.*
VS95\*.*

Also files with the following extensions may also get deleted:

bat
com
dat
doc
htm
html
ini
jpg
lnk
mdb
mpeg
php
ppt
txt
xls
zip

The worm may crash or shutdown Windows. Upon reboot the user is likely to get an error message that WIN.COM is missing.

Symptoms

- Computer name has been changed to ZaCker
- WIN.COM missing error message appears
- Deleted files

Method of Infection

This worm arrives as an .EXE attachment in an email message with a varying subject, message body, and attachment name. Manually running this attachment infects the local system, which is then used to mail the worm to others.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/Maldal.e@MM
• W32/Maldal.f@MM
• W32/Maldal.g@MM

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Maldal.D@mm (NAV)

• W32/Maldal-G (Sophos)

• W32/Maldal.G (Panda)

• W32/Maldal.gen@MM

• W32/Maldal.H-mm (Message Labs)

• Win32.Maldal.D (CA)

• Win32.Maldal.E (CA)

• WORM_MALDAL.D (Trend)

• WORM_MALDAL.E (Trend)

Characteristics

Characteristics -

--- Update 1/2/2002 ---
Avert has received several samples of a new variant of W32/Maldal.d@MM. The new variant is 27,648 bytes in length and functions as specified below. It is detected as W32/Maldal.gen@MM with the 4179 DATs.

--- Update 12/30/2001 ---
Avert has only received a few samples of this threat and considers it to be a low risk.

This mass-mailing worm gathers email addresses from cached web pages and the Outlook Address book, and deletes files and security software. It arrives in a email message containing the following random information:

Subject: %Computer Name%
The computer name is changed to ZaCker by the virus, but email messages are likely to go out with the existing computer name as the subject line prior to change taking effect. After the name change the subject is ZaCker

Body: Test this game body
or Body: I wish u like it
or Body: I have got this file for you
or Body: Surprise !!!
or Body: download this game & have fun ;)
or Body: desktop maker ,you may need it ;)
or Body: have you ever got a gift !?
or Body: What women wants !
or Body: Don't waste any time ,Subscribe now
or Body: Make your pc funny !
or Body: new program from my fun groups
or Body: Map of the world
or Body: Create your Ecard ( looooooooooooooooool
or Body: Send it to everybody you love
or Body: Its made by me ;)
or Body: Our symbol
or Body: If you have an elegant taste
or Body: Test your mind
or Body: 1 + 1 = 3 !!!
or Body: See this file
or Body: Singer , searsh for any song and sing ;)
or Body: For everybody wants to marry a woman that he doesn't love !
or Body: nowadays , there is no womanhood !! :P
or Body: Just Try to fix it
or Body: Keep these advertisements run and earn 0.25 $ per 10 minute ;)

Attachment: %ComputerName%.exe
Again, the computer name is changed to ZaCker by the virus, but email messages are likely to go out with the existing computer name as the attachment name prior to change taking effect. After the name change the attached file is namedZaCker.exe

When the attachment is run, a fake error message is displayed:

The worm copies itself to the WINDOWS SYSTEM directory as WIN.EXE and creates a registry run key to load itself at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
run\System

Cached web pages are scanned and email addresses are gathered from them, which the worm uses to send itself to using MAPI messaging. The worm also sends itself to all Outlook Address book recipients.

The computer name is set to ZaCker through the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
ComputerName\ComputerName\ComputerName=ZaCker

The following files are deleted:

eSafe\Protect\*.*
F Program Files\McAfeeVirusScan95\*.*
PC-Cillin 95\*.*
PC-Cillin 97\*.*
Program Files\FindVirus\*.*
Program Files\FWIN32\*.*
Program Files\Norton AntiVirus\*.*
Program Files\Quick Heal\*.*
Program Files\Zone Labs
Program Files\AntiViral ToolkitPro\*.*
Program Files\Command Software\F-PROT95\*.* "
Program Files\Zone Labs\*.*
rescue\*.*
TBAVW95\*.*
Toolkit\FindVirus\*.*
f-macro\*.*
VS95\*.*

Also files with the following extensions may also get deleted:

bat
com
dat
doc
htm
html
ini
jpg
lnk
mdb
mpeg
php
ppt
txt
xls
zip

The worm may crash or shutdown Windows. Upon reboot the user is likely to get an error message that WIN.COM is missing.

Symptoms

Symptoms -

- Computer name has been changed to ZaCker
- WIN.COM missing error message appears
- Deleted files

Method of Infection

Method of Infection -

This worm arrives as an .EXE attachment in an email message with a varying subject, message body, and attachment name. Manually running this attachment infects the local system, which is then used to mail the worm to others.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/Maldal.e@MM
• W32/Maldal.f@MM
• W32/Maldal.g@MM