I-Worm.Malda
Details
I-Worm.Maldal
This is a dangerous virus-worm that spreads via the Internet attached to infected e-mails. It installs another Internet worm: I-Worm.Maldal. The worm also creates destructive payloads.
The worm itself is a Windows PE EXE file about 36.5K in length, and is written in Visual Basic 5.
The infected messages contain:
The worm is activated from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, runs its spreading routine and payload. It displays the following picture only once:
Installation
While installing, the worm copies itself to the Windows system directory with the name “Christmas.exe” and registers this file in the system registry auto-run key.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Zacker = < windir >\Christmas.exe
Spreading via E-mail
To send infected messages, the worm uses MS Outlook, and sends messages to all addresses found in the Outlook address book.
Installation of the other worm
The worm changes a start page for the Internet Explorer to the:http://geocities.com/jobreee/ZaCker.htm*.
This HTM file contains another Internet worm: VBS.Kerza that will be run after Internet Explorer has been started.
Destructive payload
The worm blocks a keyboard and tries to delete all files in the Windows System directory.
*WARNING: DO NOT USE THIS LINK!
Related Posts