Related Resources • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • Sophos Description

Thought to be named after Princess Maxima, the lovely Argentine bride of the Netherlands crown prince, Willem Alexander, the Maxima Screensaver worm (Zoek.d worm a.k.a. Tcasut) arrives via email with the subject line "Maxima Screensaver!" and carrying either an attachment named "screenmaxima.scr". or a URL pointing to a copy of that file. The website found to be hosting the file has been shutdown, though the file can still be received as an email attachment. An earlier variant, first noted in May 2002, carried an attachment named "postresults.zip".

If the attachment is opened, the worm blacks out the screen (as if it were a screensaver) and displays the dialog "One moment please", after which a large button prompts, "Windows Restart?" (which when clicked will cause the system to reboot). In the interim, the worm has emailed itself to others via the Outlook/Outlook Express mail clients (the SMTP header of this email is "x-mailer: scriptkiddie"). Also prior to the reboot, the worm copies itself as tcasuta.exe to C:\Windows\, drops several additional files on the system (some hidden) and modifies the registry to activate after the system is rebooted.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run     "tcasuta.exe = c:\windows\tcasuta.exe dec"

After the system has rebooted, the above registry key activates the worm which then decodes hoen.txt to extract hoen.exe, which in turn copies itself to C:\windows\System directory as tcasutb.exe. At this stage the original registry modification is deleted. The file, tcasutb.exe, is a variant of Back Orifice, a remote access Trojan claimed to be legitimate by the Cult of the Dead Cow. The Trojan listens on port 33530 and allows attackers to perform virtually any action on the infected system with the same rights granted to the legitimate user signed on.

Also hidden inside "screenmaxima.scr" is a bound PE components named Rattler. This component emails information from the infected system to a remote email address. Additionally, there is an attempt to connect to a specific IP number which resolves to an address in the Netherlands.

Messages created can be stopped generically by the SMTP header "x-mailer: scriptkiddie".

Removing the worm
Delete the value "tcasutb.exe = c:\windows\system\tcasutb.exe" from the following Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

After deleting the aforementioned value, search for and delete the following files:

tcasutb.exe
tcasuta.exe
tcasutb.exe
accountboy.ini
attachready.ini
hoen.txt
ipinfo.txt
mailboy.ini
mailready.ini
passboy.ini
ratmailready.ini
secretsmailready.ini
tcasuta.txt.

It may be necessary to reboot into DOS mode to remove tcasutb.exe, which is the actual Trojan.