Results 1 to 2 of 2

Thread: Heads Up**W32.HLLW.Magold.E@mm

  1. June 26th, 2003, 09:59 AM #1
    Und3ertak3r
    Und3ertak3r is offline
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    Exclamation Heads Up**W32.HLLW.Magold.E@mm

    Hi Guys,

    The following found on Symantec (Norton)

    Known as WORM_AURIC.E with Trend (PC-Cillin) (page info currently unavailable)
    Known as W32/Magold-D with Sophos


    Distribution: High
    Damage: Medium
    Wild: Low

    W32.HLLW.Magold.E@mm is a mass-mailing worm that sends itself to all the contacts it finds in the Windows Address Book, as well as in all the files whose extension begins with "ht." The email will have a random subject and a file attachment named Sziszi_video.scr. The worm also attempts to spread itself through various file-sharing networks, mIRC and Pirch. It attempts to terminate the processes of various programs, including antivirus software.

    The worm displays a fake message when initially executed.

    This threat is written in Borland C++Builder and is compressed with UPX.



    Also Known As: WORM_AURIC.E [Trend], I-Worm.Magold.e [KAV], W32/Magold-D [Sophos]
    Variants: W32.HLLW.Magold@mm
    Type: Worm
    Infection Length: 238,592 bytes
    Systems Affected: Windows NT, Windows 2000, Windows XP
    Systems Not Affected: Windows 3.x, Windows 95, Windows 98, Windows Me, Macintosh, OS/2, UNIX, Linux
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
    Reply With Quote Reply With Quote
  2. June 26th, 2003, 10:39 AM #2
    IKnowNot
    IKnowNot is offline
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Trend (PC-Cillin) Worm_AURIC.E is now available, tech details :

    Arrival and Installation

    Upon execution, this malware displays a fake error message with the following text:

    DirectX Error!
    Address 19851022

    To install itself, it first creates the subfolder "dread" under the Windows folder. It then drops the following copies of itself in the Program Files, Windows, and Windows system folders:

    * C:\Program Files\ICQ\shared files\Maya Gold.scr
    * %Windows%\dreAd\Maya Gold.scr
    * %Windows%\dread.exe
    * %Windows%\Maya Gold.scr
    * %Windows%\sziszi_video.scr
    * %Windows%\sziszi_video.exe
    * %System%\wdread.exe

    (Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.
    %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.)

    To execute at Windows startup, it creates the following registry entry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
    raVe = "%Windows%\dreAd.exe"

    It also modifies the following registry entries as such so that it runs every time a .BAT, .EXE, .PIF, .SCR, and .COM file is executed:

    HKEY_CLASSES_ROOT\batfile\shell\open\command
    Default = "%Windows%\dreAd.exe "%1" %*"

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    Default = "%Windows%\dreAd.exe "%1" %*"

    HKEY_CLASSES_ROOT\piffile\shell\open\command
    Default = "%Windows%\dreAd.exe "%1" %*"

    HKEY_CLASSES_ROOT\scrfile\shell\open\command
    Default = "%Windows%\dreAd.exe "%1" %*"

    HKEY_CLASSES_ROOT\comfile\shell\open\command
    Default = "%Windows%\dreAd.exe "%1" %*"

    After installing itself, this worm executes the file DREAD.EXE, which in turn executes WDREAD.EXE.

    Email Propagation

    This worm closes EXPLORER.EXE and starts mailing itself to all recipients found in the address book. It sends email with the following details:

    From: VALO VILAG [[email protected]]

    Subject: (any of the following)
    Sziszi a Voros Demon!
    Sziszi a Valo Vilag-ban!
    Sziszi a zuhanyzoban!
    Videofelvetel Sziszi-rol!

    Message body:
    Tisztelt C*m!

    Az RTL KLUB jóvoltából Ön most részt vehet egy Internetes nyereményjátékban, ahol akár 10.000.000 Ft-ot is nyerhet.
    Ehhez nem kell mást tenni, mint a levélhez csatolt flash-videót lefuttatni (ami Sziszi-t a Való Világ 2 sztárját mutatja be zuhanyzás közben), majd a film végén megjelenõ azonos*tót visszaküldeni a [email protected] c*mre és Ön máris játékba került.
    A sorsolás nyerteseit E-Mail-ben értes*tjük 2003.06.30.-án.

    Üdvözlettel: RTL KLUB - NA NÁ -

    Attachments:
    sziszi_video.scr
    sziszi_video.exe

    This worm periodically mass-mails itself. It closes EXPLORER.EXE to prevent users from accessing and deleting malware files.

    It writes a text file named RAVEC.TXT, where it stores recipient addresses, in the Windows system folder.

    Kazaa Propagation

    To propagate via Kazaa, it shares the "dread" folder by modifying the following registry entry as such:

    HKEY_CURRENT_USER\Software\Kazaa\Transfer
    DlDir0 = "%Windows%\dreAd"

    Other Details

    This worm re-executes itself when one of its two instances is terminated.

    For data storage, it creates the following registry entries:

    HKEY_LOCAL_MACHINE\SOFTWARE\dreAd
    datum = hex:00,00,00,00,80,74,e2,40

    HKEY_LOCAL_MACHINE\SOFTWARE\dreAd
    beepul = dword:00000002

    HKEY_LOCAL_MACHINE\SOFTWARE\dreAd
    halozat = dword:00000002

    HKEY_LOCAL_MACHINE\SOFTWARE\dreAd
    irc = dword:00000002

    This worm is written in Delphi.


    Description created: Jun. 23, 2003
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules