W32/Magold-D is a memory resident worm that uses email, IRC channels, network shared drives and P2P network shares to spread.
The worm arrives in an email message with subject line and message text of non-Roman characters.
If the viral attachment is run W32/Magold-D displays the message box "DirectX Error! Address:19851022" and copies itself to C:\<Windows>\dreAd.exe, C:\<Windows>\dreAd\Maya Gold.scr, C:\<Windows>\Maya Gold.scr and C:\<System>\wdread.exe
During the execution of the email routine, the worm sends a notification message to the virus writer containing the IP address, username, computer name and available shares of the infected machine.
W32/Magold-D uses the Windows Address Book and HTML files found on the local drive to retrieve email addresses that will be used to send the worm message. All addresses found are stored in the file ravec.txt that will be saved by the worm in the Windows folder.
The worm may create a folder dreAd in the Windows folder and attempt to register the folder in the registry as one used as a file repository for a number of P2P clients.
W32/Magold-D searches for and terminates processes that belong to several anti-virus products.
The worm changes the following registry entries so that the worm file dreAd.exe is run before any file with the extension EXE, PIF, COM, SCR and BAT:
HKCR\exefile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\scrfile\shell\open\command
W32/Magold-A also creates the registry entry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raVe
so that the worm file dreAd.exe is run on Windows startup.
The registry entry HKLM\Software\dreAd is used by the worm to store data used internally by the worm.
The worm contains several randomly triggered payload routines such as opening the CD-ROM drive tray, changing the Windows colour scheme, restricting the movement of the mouse pointer to the lower part of the screen, opening the web page http://www.offspring.com, writing the text "=:-) OFFSPRING is coOL =:-) PUNK'S NOT DEAD =:-)" to the caption area of the topmost window and creating a large number of zero-byte text files on the Desktop.
W32/Magold-D may also send a Hungarian text to be printed on the default printer and may attempt to delete all files with the extension BMP, GIF and JPG from the hard drive.
The worm may attempt to copy itself to all local drives, shared network drives and floppy disks (if one is in the floppy disk drive) as Maya Gold.scr and may create the file autorun.inf so that the worm file is run automatically when the drive is opened using Explorer if the autorun feature is enabled.
On an infected computer, the two copies of the worm dreAd.exe and wdread.exe run in the background as processes and monitor each other so that if one is terminated, the other restarts it immediately. Furthermore, the registry entries created above are also monitored such that a registry value is immediately restored if it was changed.