Results 1 to 9 of 9

Thread: W32.Reeezak.A@mm/W32.Zacker.C@mm/W32.Maldal.C@mm

  1. #1
    Senior Member
    Join Date
    Sep 2001

    Exclamation W32.Reeezak.A@mm/W32.Zacker.C@mm/W32.Maldal.C@mm

    Taken from TechRepublic

    Reeezak is yet another mass-mailing worm spreading through Microsoft Outlook address books and MSN Messenger. Unlike some other recent viruses, which didnít cause too much damage, this worm poses a major threat. However, the worm canít cause any damage unless people open the e-mail and the attachment propagated by this virus. But since this is the holiday season, the fake holiday greeting may trick a number of people into opening the attachment. Anyone who does open this worm risks having their computer completely disabled.

    Read the rest of the article
    \"Isn\'t sanity just a one trick pony anyway? I mean, all you get is one trick. Rational Thinking.
    But when you\'re good and crazy, hehe, the skies the limit!!\"

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Great post Matty, always nice to have a heads up on those pesky virri.
    Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.

    Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.

  3. #3
    Join Date
    Sep 2001
    Thanks Matty.

  4. #4
    Senior Member
    Join Date
    Jul 2001
    not to be redundant, but

    Thanks Matty!!

  5. #5
    Senior Member
    Join Date
    Oct 2001


    It can never be stressed enough that you should not open e-mail attachments from people you dont know. Sometimes people you do know unwittingly leash a worm on you. The best protection is to virus scan all incoming e-mail attachments. Not to sound bitter, but Microsoft has had this hole in Outlook for a very long time, one would think that this problem would be nonexistent by now, but it remains.
    Wine maketh merry: but money answereth all things.
    --Ecclesiastes 10:19

  6. #6
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Superior, WI USA
    Originally posted by ThePreacher
    but Microsoft has had this hole in Outlook for a very long time, one would think that this problem would be nonexistent by now, but it remains.
    I've often wondered about this there something about Outlook that prevents it from being patched, by download or otherwise?...I don't use it, so I'm pretty safe on the 'spreading' end of the virus...but still...i update my VS every week, but have never even SEEN the opportunity to update/upgrade the Outlook program in my Windows OS, ever! Why?

    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor

  7. #7
    Senior Member
    Join Date
    Oct 2001

    Post Outlook Patch

    Hmmm, I was watching TechTV the other day. And a section of The Screen Savers came up talking about Microsoft's Outlook Express. Well...there's a patch, to stop yourself at opening attatchments. Well... a rescent servey went out on the Microsoft website...and it was found out, that 1% of ALL Outlook Express users have downloaded the patch. I start laughing immediatly just at the numbers that were comming up, but me not being an Outlook user just flipped the channel after that to a TV Show more reasonable to my likings (can't remember what it was just on the sci-fi channel). So, I'm sorry to announce, I have no URL for the patch. All I know is that it CAN be found on the Microsoft site. Yet try looking at Tech TV for the patch too*. Just search for Outlook Patches.
    Hope it helps, and sorry for not listening to the whole story.

    * If that URL doesn't work, try this one for the main page of Tech TV
    ...This Space For Rent.


  8. #8

    W32/Maldal.c@MM Low

    Virus Information
    Discovery Date: 12/19/2001
    Origin: Unknown
    Length: 37376 bytes
    Type: Virus
    SubType: worm
    Minimum Dat: 4177
    Minimum Engine: 4.0.70
    DAT Release Date: 12/19/2001
    Description Added: 12/19/2001

    Description Menu
    Virus Characteristics
    Method Of Infection
    Removal Instructions
    Variants / Aliases
    Rate this page
    Print This Page

    Virus Characteristics
    W32/Maldal.c@MM was discovered on 19 December 2001, it's the third variant of the W32/Maldal@MM family.

    The mass-mailing worm arrives in an e-mail file attachment called "christmas.exe", the filesize is 37376 bytes. It uses the MS-Outlook address book to mass-mail itself. The worm might also be using entries from MS-Messenger.

    The worm sends rtf based e-mail messages with the following information:
    Subject : Happy New Year
    Body: Hii , I can't describe my feelings But all I can say is Happy new year :-) bye

    Attachment: Christmas.exe
    Sample display of the received e-mail:

    Although the icon has a macromedia-flash style icon,the christmas.exe is written in Visual Basic. Running the file may result in multiple processes, multiple titlebars shown, which may be hard to combat as it tries to disable the keyboard functionality.

    The worm may change the computer name to "Zacker":
    It might also add a "zacker" entry under:

    All files in the %system% directory are deleted upon executing of the christmas.exe.

    The worm also changes the Internet Explorer startup page to a certain "zacker" htm website. This html page contains Javascript code that drops a VBScript virus and also installs a mIRC script. The HTM page is triggered upon with VBS/Rols.dr with Dat-4156 and above. The dropped VBSscript code may delete anti-virus and security software:

    \Program Files\Zone Labs
    \Program Files\AntiViral Toolkit Pro\*.*
    \Program Files\Command Software\F-PROT95\*.*
    \PC-Cillin 95\*.*
    \PC-Cillin 97\*.*
    \Program Files\Quick Heal\*.*
    \Program Files\FWIN32\*.*
    \Program Files\FindVirus\*.*
    \Program Files\McAfee\VirusScan95\*.*
    \Program Files\Norton AntiVirus\*.*
    \Program Files\Zone Labs\*.*

    "Zacker's" MAIN htm page may drop a VBScript file called "outlook.vbs" in the %SYSTEM% directory, so for example c:\windows\system\outlook.vbs. This file attempts to send an e-mail to all the entries in your "contacts" with:
    Subject: Very Important !!!
    Body : See this page http://.................
    So it's encouraging your contacts to click on the (omitted) malicious weblink.

    The outlook.vbs code contains a payload routine to delete all files in the %SYSTEM% folder. An messagebox is being displayed with anti-Jewish text followed by a shutdown of the system.

    -Mass Mailing, file attachment "christmas.exe"
    -Trigger with dropped VBScript virus VBS/Rols
    -Deleted anti-virus and security program files
    -Disabled keyboard functionality
    -Presence of "outlook.vbs" in the %system% folder
    -Deletion of files in the %system% folder
    -Annoying anti-Jewish and/or government message-boxes
    -presence of a file called "zacker.vbs"
    -presence of a file called "rol.vbs"
    -presence of a file called "dalal.htm"
    -presence of a file called "dallah.htm"
    -presence of a file called "server.vbs"

    Method Of Infection
    Initial infection starts when user runs a malicious e-mail file attachment called christmas.exe

    Removal Instructions
    All Users:
    Use current engine and DAT files for detection and removal.
    Additional Windows ME Info:
    NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.

    Disabling the Restore Utility

    1. Right click the My Computer icon on the Desktop, and choose Properties.
    2. Click on the Performance Tab.
    3. Click on the File System button.
    4. Click on the Troubleshooting Tab.
    5. Put a check mark next to "Disable System Restore".
    6. Click the Apply button.
    7. Click the Close button.
    8. Click the Close button again.
    9. You will be prompted to restart the computer. Click Yes.
    NOTE: The Restore Utility will now be disabled.
    10. Restart the computer in Safe Mode.
    11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
    12. After removing the desired files, restart the computer normally.
    NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.


  9. #9
    Senior Member
    Join Date
    Dec 2001
    now that was some detail...Thanxs...
    Violence breeds violence
    we need a world court
    not a republican with his hands covered in oil and military hardware lecturing us on world security!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts