Sophos

W32/Maldal-C

Aliases
  • W32/Reeezak.A@mm
  • I-Worm.Keyluc
Category
Type
What to do
Prevalence low high

Summary

 
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

Please follow the instructions for removing worms.

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\Zacker = \Christmas.exe

and delete it if it exists.

Close the registry editor.

Reinstating your computer name and home page

Edit your Internet Explorer Start Page in Tools|Internet options|General.

Change your computer name back in My Computer|Properties|Network Identification. N.B. it may appear to be correct, but you should still change it back so as to change it in all places.

More Information

Please note: this worm was previously known as W32/Zacker-C

W32/Maldal-C is a worm that attempts to spread using Microsoft Outlook or Microsoft Messenger.

The message has the following characteristics:

Subject: Happy New Year

Body text:
Hii
I can't describe my feelings
But all I can say is
Happy New Year:)
bye

Attachment: Christmas.exe

W32/Maldal-C message

When first run, the worm copies itself into the Windows directory as Christmas.exe and creates the registry entry

HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\Zacker = \Christmas.exe,

so that it is run automatically each time Windows is restarted.

The program displays a picture of Santa with the message "From the heart, Happy new year!".

From the heart, Happy new year!

The worm changes the computer name and the default browser home page by setting the registry keys

HKLM\System\CurrentControlSet\Control\ComputerName\
ComputerName\ComputerName = Zacker

and

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Start Page = http://geocities.com/jobreee/ZaCker.htm.

W32/Maldal-C also attempts to disable the keyboard.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer