Type: Win32 worm
Date: 21 February 2002
Sophos has received several reports of this worm from the wild.
W32/Maldal-I is an email worm. It arrives in an email with one of the following subject lines:
"Fwd:Wow , We are the same !"
"Fwd: [Muzicana-Group] Download what you want"
"Zakia Zakaria & Najati "
"Fwd:The demand of sex ... where does it lead us to ?"
"Take a picture for your self (Don't be mad its only a joke)"
"Fwd:Is there any true love ?"
"Fwd:Have u ever seen your face?! (Funny)"
"Fwd:Against the power of women"
"Fwd:Fwd:If you care about your wife"
"Fwd:Say 'I Love You' in 300 languages"
"Fwd:Send it to every body you love "
"Fwd: Let's Dance & forget pains"
"Fwd: [sex-is] HoT MoVies"
"Fwd: [SpanishGirlsGroup] Hola ..."
"Fwd: [LsbianLovers-group] Lick my asshole"
"Fwd:[Anal-sex-team] OOOH Faster"
"Fwd: [PussyLand-egroup] How sweet..."
"Fwd: [DrFun-egroup] Let's Laugh"
"Fwd: [FuNnY-egroup]Hehehehehe damn"
"Fwd: [SexyGurls-egroup] Raping a little girl"
"Fwd: [Scr-News-egroup] Have u ever seen BLOOD"
"Fwd: [Yabdoo-egroup]For HaCkers Lovers"
"Fwd: [Jews-egroup] Sharoon Owns The World"
"Fwd: [FunMaiL-group]Bush under bin laden's **** !!!"
"Fwd: [Teen-egroup] Three Ways For Love"
"Fwd: [RomanticLife-group] Learn How To Love ..."
"Fwd: [Gays-egroup]Oh Shittttt"
"Fwd:Remember our survivors"
"Fwd: [JewsFood-egroup] Dogs Meat !!!"
"Fwd: [PianoMoZart-egroup] Wow Romantic"
"Fwd:Tonight is... The Night Of Sex"
"Fwd: Are you looking for FUN !!!?"
"Fwd: [PussyPiss-egroup] Piss On my face :O"
"Fwd: [Finance-group] Do you wanna be a rich man?"
"Fwd: [lovedreams-egroup] love speaks from the heart ..."
"Fwd:Change your life with Dr.Jobreee"
"Fwd: [TeroNews-Group] Too Late ... Bin Laden has been killed"
"Fwd: [Pc.CLup-Group] Learn how to deal with DOS"
"Fwd:[RapingTeen-eGroup] Oh My God !!!"
"Fwd: The rights of women !!! "
The body text of the email is likely to be blank and the
filename of the attachment is most likely to be PROGRAM.EXE.
The worm can extract email addresses from web pages on the hard drive as well as from the Microsoft Outlook address book.
When first run W32/Maldal-I will set the registry key
When next run it will display a box with a black background and
red text stating:
"Sorry you have not registered
Please contact us"
along with some phone numbers, email addresses and instructions on how to subscribe. It will then set the registry key
The worm will create several entries in the registry Run key all pointing to copies of itself scattered over the harddisk, although it may not actually create the associated files.
Five minutes after being run, the worm may display a black background with the following text in red letters:
ZaCker Is N YoUr MaChiNe
Read the analysis at
well there's just some really sick bastards out there :-(
"The price of freedom is eternal vigilance."
- Thomas Jefferson
|« Previous Thread | Next Thread »|
|Thread Tools||Search this Thread|