Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Mari.E@mm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload Shows message box. Sets registry keys.
Detection files published 01 Feb 2002 03:00:00
Description created 30 Jan 2002 05:46:00
Description updated 19 Feb 2002 04:33:00
Malware type WORM
Alias PE_MARI.A
W32/Mari@mm
Spreading mechanism EMAIL
Summary None

W32/Mari.E@mm

Spreading

The worm copies itself to the Windows directory under the name SYSTEM32.EXE. It will create the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\RunSYSTEM32 = %WINDOWS%\SYSTEM32.exein order to load the worm on startup.It will then send itself to all users in the Outlook address book.

Payload Details

The worm has a small graphical "payload". In the taskbar there will be a small picture of a hemp leaf. If this leaf is clicked on, a message box (full of spelling errors) will be shown:


IMPORTANT: PLEASE READ

I wante??Steve from skatedork.com to get some real people to come *?? his crappy site*...I mean he needs the help this site sux as?bad as wwwskatedork.org/fifteen sorry to have messed with y??r comp but?, I didnt install any mallice virii options like i could have now did i? so please stay: calm my beef is not with you! to have this virus removed email steve@skatedork.org and say LAIM owns you and then he'll tell ?ou. *THAT* sleasey (I will email him the ins?ructions). I really do think that steve still owes me an appology and if i dont get it soon i will see to it that some serious damage will occur! !unt?? next time have a ni?e day ???????. tell steve thatLAIM said high ok? bye b?e nows the skatedork.com virus!!!!* because it's more then that, it's a message, a message for freedom, the freedom to skate or die i wont go away!!!!!! heh*WWW.SKATEDORK.ORG*GOTO skatedork now or you wi??l never rid yourself of this !!!!!!.


The worm also adds the following registry entries:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYSTEM32=C:\Windows\SYSTEM32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization=Skater's Pot Palace.

HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner=Im A Pot Head!

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page=http://skatedork.org

HKCU\Software\Microsoft\Internet Explorer\Main\Window Title=LaImRuLeZ Explorer (LEGALIZE IT!!!)

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15