Effects
When Maldal.C carries out its infection, it has the following effects:
- It locks the keyboard.
- It changes the name of the computer.
- In computers with the Windows NT operating system, it use up the system’s memory by creating a large number on processes.
Infection strategy
In order to carry out its infection, Maldal.C follows the routine below:
It creates the following files:
This is a copy of the file that reached the computer via e-mail. It contains the Maldal.C worm.
Maldal.C modifies some entries in the Windows Registry, as follows:
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run\ ZaCker.
By assigning the CHRISTMAS.EXE value to this entry, Maldal.C ensures it is run every time the computer is started up.
- HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Control\ ComputerName\ ComputerName\ ComputerName = "ZaCker"
Through this entry, the worm changes the name of the computer to ZaCker.
- HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main\ Start page = http://geocities.com/jobreee/ZaCker.htm.
As a result, the worm changes the default Internet browser’s home page.
Maldal.C also carries out the following actions:
- It creates a process called Sm56hlpr.
In this way, it locks the keyboard, preventing users from using it.
- In computers with the Windows NT operating system, the worm creates processes until it uses up the system’s memory.
Means of transmission
Maldal.C spreads via e-mail, in the following way:
Subject:
Happy New Year
Message:
Hii , I can't describe my feelings But all I can say is Happy new year :-) bye
Attachments:
CHRISTMAS.EXE
-
It activates when the attached file CHRISTMAS.EXE is run.
-
Once activated, it locks the keyboard, so that its infection routine cannot be interrupted.
-
Maldal.C sends itself out to every address found in the MSN and Outlook Address Books.
Further Details
Some additional features of Maldal.C:
- It is written in the programming language Visual Basic.
- The CHRISTMAS.EXE file is 37,376 bytes in size.