Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Maldal.I@mm

Overview

Threat Risk LOW LOW
Destructivity HIGH HIGH
Payload Deletes files
Detection files published 20 Feb 2002 03:00:00
Description created 20 Feb 2002 03:11:00
Description updated 22 Feb 2002 01:24:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Maldal.I@mm

Spreading

Upon execution the program shows a message box with red on black letters.

(Image not available)


Then the worm copies itself to the Windows directory as HIDE.PIF and ZACKER.PIF, and to the Windows system directory as ZACKER.PIF.

In addition it will copy itself to all directories using the directory name and the extension *.PIF. This also has the side effect that the worm is visible and can be run from the start menu. These copies are also pointed to from the registry, so that the worm is started at bootup.

When the worm is started directly from any location, it may delete all unlocked files in the current directory.

After it is done copying, it will after some time replace the desktop background with a large message, red on black, "ZaCker Is N YoUr MaChiNe".

(Image not available)


The worm searches the Outlook address book and HTML files for email addresses to send itself to.


 

Payload Details

The file deletion seems to be triggered when the worm is started directly from any location. Since the worm is visible in the Start Menu, this often has the side effect that Start Menu entries will disappear.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14