PDA

Click to See Complete Forum and Search --> : Heads Up**W32.HLLW.Magold.E@mm

Und3ertak3r
June 26th, 2003, 10:59 AM
Hi Guys,

The following found on Symantec (Norton) (http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.magold.e@mm.html)

Known as WORM_AURIC.E with Trend (PC-Cillin) (page info currently unavailable)
Known as W32/Magold-D with Sophos (http://www.sophos.com/virusinfo/analyses/w32magoldd.html)


Distribution: High
Damage: Medium
Wild: Low

W32.HLLW.Magold.E@mm is a mass-mailing worm that sends itself to all the contacts it finds in the Windows Address Book, as well as in all the files whose extension begins with "ht." The email will have a random subject and a file attachment named Sziszi_video.scr. The worm also attempts to spread itself through various file-sharing networks, mIRC and Pirch. It attempts to terminate the processes of various programs, including antivirus software.

The worm displays a fake message when initially executed.

This threat is written in Borland C++Builder and is compressed with UPX.



Also Known As: WORM_AURIC.E [Trend], I-Worm.Magold.e [KAV], W32/Magold-D [Sophos]
Variants: W32.HLLW.Magold@mm
Type: Worm
Infection Length: 238,592 bytes
Systems Affected: Windows NT, Windows 2000, Windows XP
Systems Not Affected: Windows 3.x, Windows 95, Windows 98, Windows Me, Macintosh, OS/2, UNIX, Linux
IKnowNot
June 26th, 2003, 11:39 AM
Trend (PC-Cillin) Worm_AURIC.E (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AURIC.E) is now available, tech details (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AURIC.E&VSect=T) :

Arrival and Installation

Upon execution, this malware displays a fake error message with the following text:

DirectX Error!
Address 19851022

To install itself, it first creates the subfolder "dread" under the Windows folder. It then drops the following copies of itself in the Program Files, Windows, and Windows system folders:

* C:\Program Files\ICQ\shared files\Maya Gold.scr
* %Windows%\dreAd\Maya Gold.scr
* %Windows%\dread.exe
* %Windows%\Maya Gold.scr
* %Windows%\sziszi_video.scr
* %Windows%\sziszi_video.exe
* %System%\wdread.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.
%System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.)

To execute at Windows startup, it creates the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
raVe = "%Windows%\dreAd.exe"

It also modifies the following registry entries as such so that it runs every time a .BAT, .EXE, .PIF, .SCR, and .COM file is executed:

HKEY_CLASSES_ROOT\batfile\shell\open\command
Default = "%Windows%\dreAd.exe "%1" %*"

HKEY_CLASSES_ROOT\exefile\shell\open\command
Default = "%Windows%\dreAd.exe "%1" %*"

HKEY_CLASSES_ROOT\piffile\shell\open\command
Default = "%Windows%\dreAd.exe "%1" %*"

HKEY_CLASSES_ROOT\scrfile\shell\open\command
Default = "%Windows%\dreAd.exe "%1" %*"

HKEY_CLASSES_ROOT\comfile\shell\open\command
Default = "%Windows%\dreAd.exe "%1" %*"

After installing itself, this worm executes the file DREAD.EXE, which in turn executes WDREAD.EXE.

Email Propagation

This worm closes EXPLORER.EXE and starts mailing itself to all recipients found in the address book. It sends email with the following details:

From: VALO VILAG [valovilag@rtlklub.hu]

Subject: (any of the following)
Sziszi a Voros Demon!
Sziszi a Valo Vilag-ban!
Sziszi a zuhanyzoban!
Videofelvetel Sziszi-rol!

Message body:
Tisztelt Cím!

Az RTL KLUB jóvoltából Ön most részt vehet egy Internetes nyereményjátékban, ahol akár 10.000.000 Ft-ot is nyerhet.
Ehhez nem kell mást tenni, mint a levélhez csatolt flash-videót lefuttatni (ami Sziszi-t a Való Világ 2 sztárját mutatja be zuhanyzás közben), majd a film végén megjelenő azonosítót visszaküldeni a valovilag@rtlklub.hu címre és Ön máris játékba került.
A sorsolás nyerteseit E-Mail-ben értesítjük 2003.06.30.-án.

Üdvözlettel: RTL KLUB - NA NÁ -

Attachments:
sziszi_video.scr
sziszi_video.exe

This worm periodically mass-mails itself. It closes EXPLORER.EXE to prevent users from accessing and deleting malware files.

It writes a text file named RAVEC.TXT, where it stores recipient addresses, in the Windows system folder.

Kazaa Propagation

To propagate via Kazaa, it shares the "dread" folder by modifying the following registry entry as such:

HKEY_CURRENT_USER\Software\Kazaa\Transfer
DlDir0 = "%Windows%\dreAd"

Other Details

This worm re-executes itself when one of its two instances is terminated.

For data storage, it creates the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\dreAd
datum = hex:00,00,00,00,80,74,e2,40

HKEY_LOCAL_MACHINE\SOFTWARE\dreAd
beepul = dword:00000002

HKEY_LOCAL_MACHINE\SOFTWARE\dreAd
halozat = dword:00000002

HKEY_LOCAL_MACHINE\SOFTWARE\dreAd
irc = dword:00000002

This worm is written in Delphi.


Description created: Jun. 23, 2003