|
A new variant of the Maldal worm entices users with a range of provocative subject lines. According to antivirus vendor Sophos, the subject lines will be one of the following:
"Fwd: WoOoOoOow"
"Fwd:Wow , We are the same !"
"Fwd: [Muzicana-Group] Download what you want"
"Zakia Zakaria & Najati :P"
"Fwd:The demand of sex ... where does it lead us to ?"
"Take a picture for your self (Don't be mad its only a joke)"
"Fwd:Is there any true love ?"
"Fwd:Have u ever seen your face?! (Funny)"
"Fwd:Against the power of women"
"Fwd:Fwd:If you care about your wife"
"Fwd:Say 'I Love You' in 300 languages"
"Fwd:Send it to every body you love ;)"
"Re:Fwd:Romantic Day"
"Fwd: Let's Dance & forget pains"
"Fwd:Loneliness ..."
"Fwd: [sex-is] HoT MoVies"
"Fwd: [SpanishGirlsGroup] Hola ..."
"Fwd: [LsbianLovers-group] Lick my asshole"
"Fwd:[Anal-sex-team] OOOH Faster"
"Fwd: [PussyLand-egroup] How sweet..."
"Fwd: [DrFun-egroup] Let's Laugh"
"Fwd: [FuNnY-egroup]Hehehehehe damn"
"Fwd: [SexyGurls-egroup] Raping a little girl"
"Fwd: [Scr-News-egroup] Have u ever seen BLOOD"
"Fwd: [Yabdoo-egroup]For HaCkers Lovers"
"Fwd: [Jews-egroup] Sharoon Owns The World"
"Fwd: [FunMaiL-group]Bush under bin laden's cock !!!"
"Fwd: [Teen-egroup] Three Ways For Love"
"Fwd: [RomanticLife-group] Learn How To Love ..."
"Fwd: [Gays-egroup]Oh Shittttt"
"Fwd:Remember our survivors"
"Fwd: [JewsFood-egroup] Dogs Meat !!!"
"Fwd: [PianoMoZart-egroup] Wow Romantic"
"Fwd:Tonight is... The Night Of Sex"
"Fwd: Are you looking for FUN !!!?"
"Fwd: [PussyPiss-egroup] Piss On my face :O"
"Fwd: [Finance-group] Do you wanna be a rich man?"
"Fwd:"
"Fwd: [lovedreams-egroup] love speaks from the heart ..."
"Fwd:Change your life with Dr.Jobreee"
"Fwd: [TeroNews-Group] Too Late ... Bin Laden has been killed"
"Fwd: [Pc.CLup-Group] Learn how to deal with DOS"
"Fwd:[RapingTeen-eGroup] Oh My God !!!"
"Fwd: The rights of women !!! "
The body of the email is generally blank and the attachment is generally named PROGRAM.EXE. Sophos notes when the attachment is opened, it first creates the registry entry HKey_Local_Machine\Shadup and, when next run, it displays a black dialog box containing red text which states in part:
"Sorry you have not registered
Please contact us"
The dialog also includes a few phone numbers, email addresses, and instructions for subscribing. It then sets another registry key, HKey_Local_Machine\e5zemha. Several entries are also made in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key, which may or may not be associated with actual files created by the worm. A second dialog similar to the first may occur five minutes after being run, this time displaying the following text:
ZaCker Is N YoUr MaChiNe
Removing the worm
Considering the random nature of the registry keys and the randomness of the dropped worm files, it is recommended that antivirus software (updated on or after February 21, 2002) be used to effectively remove Maldal.I. As with all email worms, prevention is the key. Graham Cluley, Senior Technology Consultant for Sophos Anti-Virus notes, "If you're in the habit of sharing salacious material, joke programs
and risque content then maybe you shouldn't be too surprised if one day a
virus takes advantage of this. If you must indulge in lewd humour -
leave it in the locker room. There's no place for it in the workplace,
particular as it might hide a destructive virus".
|
