W32/Magold-A

Aliases	W32/Auric.A@mm I-Worm.Magold.a
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	28 September 2003 09:46:47 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Windows XP/2000/2003

Renaming the registry editor

Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.
Rename the copy of Regedit.exe to Regedit.cmd.

Restart the computer in Safe Mode.

Go to Start|Shut Down.
Select Restart from the drop down list and click OK. Windows will restart.
Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows XP/2000/2003, press F8".
In the Windows XP/2000/2003 Advanced Options Menu select the third option 'Safe Mode with Command Prompt'.

To remove the worm files, either use SAV32CLI from the Sophos CD or download an emergency copy of SAV32CLI on an uninfected computer, extract it and write it to CD.

At the infected computer, place the CD in the CD drive (D: in this example).

At the command prompt type:

D:

to access the CD drive. If you are using the Sophos CD, type:

CD WIN32\I386\SAV32CLI

if you are using a SAV32CLI download disk, type:

CD SAV32CLI

Then type:

SAV32CLI -REMOVE -P=C:\LOGFILE.TXT

to remove the worm.

You will also need to edit the following registry entries. Please read the warning about editing the registry.

At the command promt type 'Regedit.cmd' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the following HKEY_CLASSES_ROOT entries:

HKCR\exefile\Shell\Open\Command
HKCR\comfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\scrfile\shell\open\command

Typically an unaltered registry entry will be set to:

HKCR\???file\shell\open\command\(default) = "%1" %*

the altered registry entry will be:

HKCR\???file\shell\open\command\(default) = C:\WINDOWS\<filename>.exe /exec:"%1" %*

delete only the text C:\WINDOWS\<filename>.exe /exec: where <filename> is the name of the worm file. Do not delete anything else.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raVe

and delete it if it exists.

Close the registry editor.

Delete the file ravec.txt in the Windows folder.

Check the copy of Autorun.inf in the root folder and delete it if it contains a reference to the worm.

Windows 95/98/Me

Restart the computer in MS-DOS mode.

Note: starting a Command Prompt (a DOS window) is not enough.

At the Taskbar, select 'Start' then 'Shut Down'.
Choose the option 'Restart the computer in DOS mode'.

At the DOS prompt type:

C: CD \PROGRA~1\SOPHOS~1 SWEEP *: -REMOVEF

Say 'Yes' when prompted to delete a file (provided it is a W32/Magold-A file). Make a note of its name.

Reboot to Windows.

At a clean computer with the same operating system, copy the following keys:

HKCR\exefile\Shell\Open\Command
HKCR\comfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\scrfile\shell\open\command

as .REG files. Use different names for each file. Import them to the infected computer. See here for instructions on how to do this.

Delete the file ravec.txt in the Windows folder.

Check the copy of Autorun.inf in the root folder and delete it if it contains a reference to the virus.

Windows NT

Please contact technical support.

Other platforms

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Magold-A is a memory resident worm that uses email, IRC, network shared drives and P2P network shares to spread.

The worm arrives in an email message with the following characteristics:

Sender: "EROTIKA.LAP.HU"<erotika@lap.hu>
Subject line: Maya Gold-os kepernyokimelo!
Message text: Tisztelt cim!

Az EROTIKA.LAP.HU nezettsegenek novelese erdekeben egy
kis izelitot kivan adni kinalatabol az Internet felhasznaloknak!
FIGYELEM: A 'Maya Gold.scr' nevu csatolt allomany egy
kepernyovedo.

Mint a neve is mutatja Maya Gold pornoszinesznorol tartalmaz
kulonbozo kepeket.Az allomanyt ajanlott elobb a lemezre menteni,
majd utana futtatni.

Amennyiben valami problamaja, kardase van, irjon a kovetkezo
cimre:
erotika@lap.hu
Attached file: Maya Gold.scr

If the viral attachment is run W32/Magold-A displays the message box "DirectX Error! Address:0002R1A9V8E52000" and copies itself into the Windows folder with the filenames raVe.exe and Maya Gold.exe.

During the execution of the email routine the worm sends a notification message to the virus writer containing the IP address, username, computer name and available shares of the infected computer. W32/Magold-A uses the Windows Address Book and HTML files found on the local drive to retrieve email addresses that will be used to send the viral message.

All email adresses found are stored in the file ravec.txt, saved by the worm in the Windows folder.

The worm may create a folder Rave in the Windows folder and attempt to register the folder in the registry as the default folder used as a file repository by several P2P clients.

W32/Magold-A searches and terminates processes that belong to several Anti-Virus products.

The worm changes the following registry entries so that the worm file rave.exe is run before any file with the extension EXE, PIF, COM, SCR and BAT:

HKCR\exefile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\scrfile\shell\open\command

W32/Magold-A also creates the registry entry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raVe
so that the worm file is run on Windows startup.

The registry entry HKLM\Software\raVe contains the data used internally by the worm.

W32/Magold-A contains several randomly triggered payload routines with various effects, such as opening the CD-ROM drive tray, changing the Windows colour scheme, restricting the movement of the mouse pointer to the lower part of the screen, opening the web page http://www.offspring.com, writing the text "=:-) OFFSPRING is coOL =:-) PUNK'S NOT DEAD =:-)" to the caption area of the active window and creating a large number of zero bytes long text files on the desktop.

W32/Magold-A may also attempt to send a Hungarian text to be printed on the default printer and attempt to delete all files with the extension BMP, GIF and JPG from the drive.

The worm may attempt to copy itself to all local drives, shared network drives and floppy disks (if one is in the floppy disk drive) as Maya Gold.scr and create the file autorun.inf so that the worm file is run automatically when the drive is opened using Explorer and the Autorun feature enabled.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Magold-A

Summary

Action

More Information