New Virus-Worm Targets Those in the Holiday Spirit

19 Dec 2001
Virus News

Kaspersky Lab responds to the "alert" sent out by other anti-virus companies

Kaspersky Lab reports the detection of the latest Internet worm, I.Worm.Maldal (a.k.a. Christmas). At the moment, no cases of infection by this malicious program have been reported. This warning is for the benefit of users, who have been alarmed by reports issued by other anti-virus companies.

Maldal is written in Visual Basic, is an EXE file about 37Kb, and is compressed in a UPX utility.

The worm spreads via e-mail, and in order to start-up, the worm gains access to the Outlook address book. This is done unbeknownst to users, after which the worm sends out its copy to each address found in Outlook. The message appears as follows:

It's important to note that the attached worm file always has the name CHRISTMAS.EXE.

When the message's sending procedures have ended, Mandal displays the following New Year card:

Mandal has a destructive payload: it blocks a keyboard and then tries to delete files in the Windows system directory. In addition to this, the worm alters the start-up page for Internet Explorer to http://geocities.com/jobreee/ZaCker.htm*, and following a visit to this site, the script virus VBS.Kerza is installed on a victim's computer.

"The end of the year sees the appearance of malicious programs hiding under the guise of 'Merry Christmas' and 'Happy New Year' wishes, and Maldal is a perfect example of virus writers taking advantage of this theme. It is quite possible that during the next 2-3 weeks, we could witness the appearance of other similar worms," said Denis Zenkin, Head of Corporate Communication at Kaspersky Lab.

Defense procedures thwarting I-Worm.Maldal have already been added to the latest Kaspersky Anti-Virus database update.

More detailed information about this malicious program can be found in the Kaspersky Virus Encyclopedia.

*WARNING: DO NOT USE THIS LINK!