W32.Maldal.C@mm

This virus should begin propagating this week. We recommend obtaining the latest virus definitions for your virus scanner to ensure all of your machines are protected.

The following is technical information and removal instructions excerpted from Symantec's web site:

Discovered on: December 19, 2001

Last Updated on: December 19, 2001 at 04:14:59 PM PST

W32.Maldal.C@mm is a mass-mailing worm that is written in Visual Basic. The worm uses Microsoft Outlook to spread its infection. It also modifies your Internet Explorer home page.

NOTE: The Web page that is set as the Internet Explorer home page will be detected as JS.Exception.Exploit.

Also Known As: W32.Zacker.C@mm, W32.Reeezak.A@mm

Type: Worm

Infection Length: 37,376

Virus Definitions: December 19, 200

Threat Assessment:

Wild:
Low

Damage:
Medium

Distribution:
High

Wild:

	Number of infections: 0 - 49
	Number of sites: 0 - 2
	Geographical distribution: Medium
	Threat containment: Easy
	Removal: Easy

Damage:

Payload:

	Large scale e-mailing: Emails addresses in Microsoft Outlook
	Deletes files: Attempts to delete antivirus product directories

Distribution:

	Subject of email: Happy New Year
	Name of attachment: Christmas.exe
	Size of attachment: 37376
	Shared drives: Attempts to copy itself via open network shares

Technical description:

W32.Maldal.C@mm is a mass-mailing worm. The worm is written in Visual Basic, and it requires Visual Basic runtime libraries to execute.

When the worm is executed, it does the following:

It emails itself to all contacts in the Microsoft Outlook address book. The email has the following characteristics:

Subject: Happy New Year

Message:
Hii
I can't describe my feelings
But all i can say is
Happy New Year :)
bye

Attachment: Christmas.exe

It then changes the name of the computer to Zacker by modifying the value of:

ComputerName

to

Zacker

in the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

It also adds the value

Zacker %SYSTEM%\Christmas.exe

to the registry key

HKEY_LOCAL_MACHINE\\Software\Microsoft\Windows\CurrentVersion\Run

so that the worm runs each time that you start Windows.

Next, the worm changes your Internet Explorer home page a malicious page that was created by the author of the worm. This page will be detected as JS.Exception.Exploit, even when using virus definitions dated prior to the December 18, 2001.

Next, the worm will display a windows with the text: "From the heart. Happy new year !"

Finally, the worm disables the keyboard. This means that the keyboard cannot be used until the computer is restarted without the worm being executed.

The Webpage
The webpage that this worm sets as the Internet Explorer start page is malicious. When visited, it contains code that will create the file %Windows%\Rol.vbs. This file will then be executed.

Rol.vbs
When this Visual Basic script is executed, it does the following:

1. Sets the Internet Explorer home page to a page that contains a shockwave flash video.
2. Copies itself to %SYSTEM%\Zacker.vbs.

NOTE: %System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

3. Creates the file %SYSTEM%\Dalal.htm. This page contains a string that will be appended to .html. .htm, and .asp files.
4. Deletes several antivirus and security products. Norton Antivirus will be deleted if it is located in \Program Files\Norton Antivirus (on any drive).
5. Infects .html. .htm, and .asp files.
6. Overwrites files that have the following extensions:

.lnk, .zip, .jpg, .jpeg, .mpg, .mpeg, .doc, .xls, .mdb, .txt, .ppt, .pps, .ram, .rm, .mp3, .mdb, or .swf

with a copy of Zacker.vbs.

7. If Mirc.ini is found, all .ini files in that folder will be overwritten with a string that will cause an infected computer to send the URL to other users over the IRC network.
8. Finally, the worm will display a political message and attempt to exit Windows.

Removal instructions:

To remove this worm, delete files that are detected as W32.Maldal.C@mm or JS.Exception.Exploit, repair files detected as W32.Maldal.C@mm(html), and reverse the changes that it made to the registry.

To remove the worm:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Maldal.C@mm or JS.Exception.Exploit.
5. If any files are detected as infected by W32.Maldal.C@mm(html), click Repair.

NOTE: If the worm has executed, and has disabled the keyboard, you must restart the computer in Safe mode before you can edit the registry. For instructions, read the document t How to restart Windows 9x or Windows Me in Safe Mode.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed. This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3.
4. Navigate to the following key:

HKEY_LOCAL_MACHINE\\Software\Microsoft\Windows\CurrentVersion\Run
5. In the right pane, delete the following value:

Zacker %SYSTEM%\Christmas.exe

6. (Optional). Navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
7. In the right pane,double-click the value: ComputerNameand changed it from Zacker to the name desired.
8. Click Registry, and then click Exit.