FANDOM


Magold is an email worm on Microsoft Windows.

BehaviorEdit

When an infected file is run, it will attempt to email all recipients in the user's email account. It sends the "Maya Gold.scr" file to them with the message:

From: erotika@lap.hu
Subject: Maya Gold-os kepernyokimelo!
Attachment: Maya Gold.scr
Tisztelt c­m!
Az EROTIKA.LAP.HU nezettsegenek n¶velese erdekeben egy kis ­zel­tµt
k­v¡n adni k­n¡lat¡bol az Internet felhaszn¡loknak!
FIGYELEM: A 'Maya Gold.scr' nev» csatolt ¡llom¡ny egy kepernyµvedµ.
Mint a neve is mutatja Maya Gold pornosz­nesznµrµl tartalmaz k¼l¶nb¶zµ kepeket.
Az ¡llom¡nyt aj¡nlott elµbb a lemezre menteni, majd ut¡na futtatni.
Amennyiben valami problem¡ja, kerdese van, ­rjon a k¶vetkezµ c­mre:
erotika@lap.hu
œdv¶zlettel: EROTIKA.LAP.HU

English translation (showing that is relates to pornographic content):

Dear Recipient,  In order it increase the popularity of EROTIKA.LAP.HU we would like
provide you with a sample of our offers.
WARNING: The attached file 'Maya Gold.scr' is a screen saver.
As the name suggests it contains pictures of the porn actress Maya Gold.  In case 
you have a problem or question you can write to the following
address: erotika@lap.hu
Regards,  EROTIKA.LAP.HU

The file with the virus only works if PSAPI.DLL exists on the system. Otherwise, it gives an error if run.

When the file is run, it will install its files to the registry and the Windows folder to run on boot. It contains many methods to infect users, including drives that are inserted.

Email-Worm.Win3211:38

Email-Worm.Win32.Magold

PayloadsEdit

When the virus is run, it may perform the following after a while[1]:

  • Changing color of windows to red. This affects everything, even applications that are later opened.
  • Using Maldal's payload to flood the desktop with text files named "raVe#.txt" (# can be any number up to 4 digits). These files contains no text content.
  • Preventing access to screen portions, mostly to the top, warping the user's mouse to the center.
  • Attempting to open the CD-ROM tray if a disk tray is on the computer.
MagoldDocument

The file Magold may print

  • Attempting to print the following document if a printer is installed (the =:-) loops throughout the paper printed):
SEGTS NEKEM!!!
‰n a nyomtato vagyok, es arra szeretnelek megkerni, hogy beszelj m¡r a
Windows-zal, mert ez m¡r nem ¡llapot!!
llandoan a h¼lye kerdeseivel, kereseivel zaklat, 'Van meg
lapod?', 'Tudsz sz­nesen nyomtatni?', 'Ezt most fektetve
szeretnem!', 'Keszen ¡llsz m¡r?'.
Gondolom te is egyetertesz velem, hogy ez ­gy nem mehet tov¡bb! Valamit
tenni kell!
œDV–ZLETTEL MEG‰RT• ‰S SEGT•K‰SZ BARTOD: A NYOMTAT“
PUNK'S NOT DEAD
=:-)

English translation:

HELP ME!
I'm the printer and would like to ask you to talk to Windows because this
is getting out of hand. It is continuously bugging me with silly questions
like: 'Do you still have paper?', "Can you print in color?", "I'd like to
have this one in landscape mode.", "Are you ready?".
I think you agree with me that this can not go on like this any longer.
Regards, Your sympatethic, helpful friend: The Printer
PUNK'S NOT DEAD
=:-)
  • Adding the following after application names: =:-)OFFSPRING is coOL =:-) PUNK'S NOT DEAD =:-)
  • Attempting to terminate most anti-virus applications, even a few Windows fuctions. When this occurs, it also terminates explorer.exe.
  • Opens http://offspring.com on the default browser.

EffectsEdit

After a while of the virus's creation, the creator "Laszlo K." was sentenced to 2 years in prison and a fee of 500,000 forints ($2400 USD in 2004, $1739 USD today) in court costs.[2] The creator created this virus to show his skills despite failing in some of his classes in high school, but failed to do so due to exposition of personal info lead to arrest.

VariantsEdit

Magold.EEdit

Founded in June 20th, 2003, it adds more files to the System32 directory. In addition to terminating anti-virus programs, it can terminate other virus processes like Sobig.C, Lovgate, Sircam, Fizzer, and Klez. The email used is this instead (still Hungarian):

From: "VALO VILAG" [valovilag@rtlklub.hu] Subject: Sziszi, a voros demon!  or  
Subject: Sziszi a zuhanyzoban!  Body: Tisztelt C¡m!
Az RTL KLUB j¢voltb¢l „¢n most r€šszt vehet egy Internetes
nyerem€šnyjt€škban, ahol akr 10.000.000 Ft-ot is nyerhet.
Ehhez nem kell mst tenni, mint a lev€šlhez csatolt flash-vide¢t
lefuttatni (ami Sziszi-t a Val¢ Vilg 2 sztrjt mutatja be zuhanyzs
k€zben), majd a film v€šg€šn megjeleno azonos¡t¢t visszakldeni a
valovilag@rtlklub.hu c¡mre €šs „¢n mris jt€škba kerlt.
A sorsols nyerteseit E-Mail-ben €šrtes¡tjk 2003.06.30.-n.
Å¡dv€zlettel: RTL KLUB - NA NA -Attachment: sziszi_video.exe

English translation (revealing it is a lottery email but with related porn):

Subject: Sziszi, the red haired vamp!  or Subject: Sziszi under the shower!
Body:
Dear Recipient!
Thanks to RTL Klub TV, you may participate in an Internet prize game, where you can 
win up to 10 million HUF. All you have to do is to run and watch the attached flash 
video (which shows Sziszi, the celebrity of "Valo Vilag 2" reality TV show, taking a 
shower). At the end, an ID code will be
displayed, just send it back in e-mail to
[valovilag@rtlklub.hu] and you become a participant right
away. Winners of the draw will be contacted in e-mail on
June 30, 2003
With kind regards: RTL KLUB - NANA TV

The payloads are still the same.

ReferencesEdit

  1. https://www.f-secure.com/v-descs/magold.shtml
  2. https://www.virusbulletin.com/blog/2004/07/magold-teen-probation

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.