W32/Malas-A

Aliases	P2P-Worm.Win32.Malas.b W32/Bindo.worm Win32/Malas.C worm
Category	Viruses and Spyware
Type	Virus
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Removable storage devices Network shares Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	19 November 2007 18:43:00 (GMT)
Last updated	1 March 2008 14:40:17 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for disinfecting PE executables.

More Information

Summary
Action
More Information

W32/Malas-A is a companion virus for the Windows platform that also attempts to spread via P2P, to network shares, and to removable drives.

W32/Malas-A is a companion virus for the Windows platform that also attempts to spread via P2P, to network shares, and to removable drives.

When first run W32/Malas-A copies itself to:

<Temp>\svchost.exe
<Common Files>\Microsoft Shared\MSshare.exe
<Program Files>\Sound Utility\Soundmax.exe
<Windows>\Web\OfficeUpdate.exe
<Program Files>\XPCode\SexScreenSaver.scr
<Program Files>\XPCode\SexGameList.pif
<Program Files>\XPCode\SexGame.exe

W32/Malas-A also attempts to copy itself to the following folders with the filenames Sex_ScreenSaver.scr and Sex_Game.exe:

<Program Files>\Kazaa Lite\My Shared Folder
<Program Files>\Kazaa\My Shared Folder
<Program Files>\Edonkey2000\Incoming
<Program Files>\Icq\Shared Files
<Program Files>\emule\incoming
<Program Files>\Gnucleus\Downloads\Incoming
<Program Files>\KMD\My Shared Folder
<Program Files>\Limewire\Shared
C:\Inetpub\ftproot

W32/Malas-A creates or modifies the following shortcut files to point to <Common Files>\Microsoft Shared\MSshare.exe:

<Common Programs>\Accessories\Paint.lnk
<Common Programs>\Accessories\Calculator.lnk

W32/Malas-A creates the following shortcut file to point to <Windows>\Web\OfficeUpdate.exe:

<Common Startup>\Office Update.lnk

W32/Malas-A creates the following shortcut file to point to <Program Files>\XPCode\SexGame.exe:

<Program Files>\XPCode\Games.lnk

W32/Malas-A attempts to run OfficeUpdate.exe as a scheduled task daily at 11:30 and 20:30.

<Windows>\Web\OfficeUpdate.exe

W32/Malas-A attempts to share the folder <Program Files>\XPCode on the network with a shared name of "Software" and a description of "New Softwares".

W32/Malas-A attempts to copy itself to removable drives with the filename autoply.exe and drops the file Autorun.inf (also detected as W32/Malas-A) to run it automatically.

W32/Malas-A attempts to copy itself to the startup folder of all available network shares with the filename AdobeUpdate.exe.

W32/Malas-A searches network shares for files with an EXE extension, moving them to <original filename>lib.exe and copying itself in their place, while also dropping the shortcut file <original filename>.lnk to point to itself.

W32/Malas-A searches network shares for files with an MP3 or JPG extension, copying itself to zfile.exe in the same folder and dropping the shortcut file <original filename>.lnk to point to itself.

W32/Malas-A searches fixed drives for files called SETUP.EXE, moving them to setuplib.exe and copying itself in their place, while also dropping the shortcut file Setup.lnk to point to itself.

W32/Malas-A may also drop the following clean html files, containing text in non-Roman characters:

<User Profile>\Desktop\Important.html
<User Profile>\My Documents\Important.html

W32/Malas-A attempts to create one of the following registry entries to run Soundmax.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SoundMax
<Program Files>\Sound Utility\Soundmax.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMax
<Program Files>\Sound Utility\Soundmax.exe

W32/Malas-A attempts to set the following registry entries, disabling system software:

HKLM\SOFTWARE\Policies\Microsoft\Windows NT
DisableConfig
1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT
DisableSR
1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1

W32/Malas-A attempts to set the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Nofolderoptions
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Nofolderoptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
2

W32/Malas-A attempts to delete the following registry entries if they exist:

HKCU\lnkfile
IsShortCut

HKCU\piffile
IsShortCut

HKCU\InternetShortcut
IsShortCut

W32/Malas-A attempts to set a registry entry at the following location if the file <Windows>\system32\kbdfa.dll is found:

HKCU\Software\Wintek
Install

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Malas-A

Summary

Action

More Information