W32.Madag.A


Aliases: W32/Madag
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North and South America, Europe, Asia, Australia
Removal: Easy
Platform: W32
Discovered: 06 May 2008
Damage: Low

Characteristics: The main payload delivered by this particular malware is that it scans the compromised machine to infect files that use the DOC file extension. These files are normally generated by the word processing application developed by Microsoft Corporation. The W32.Madag.A can spread to other vulnerable computer systems by using removable storage devices as its main transport mechanism. When accessed in vulnerable computer systems, the malware will automatically execute and deliver its payload.

More details about W32.Madag.A

The W32.Madag.A will extract a number of files using the DOT and EXE file extensions into the directory folder where the operating system files are located. It modifies relevant Windows Registry key entries in order to make sure that it will be loaded on every reboot or startup instance of the infected computer system. The W32.Madag.A will also use the Windows Registry service to set the default attributes of its file components and make their detection and removal from the compromised machine more difficult. This threat will infect removable storage devices by placing an executable copy of itself. The W32.Madag.A will include an information file in the infected removable storage device so that when an unsuspecting user accesses it the host machine will become infected.

The payload delivery routine identified with the W32.Madag.A by most antivirus vendors include the scanning of the contents of the storage devices attached to the infected computer system for the presence of DOC format files. Once the files are found the W32.Madag.A will add a copy of its codes at the beginning of the file. After successfully adding its codes the DOC file will be saved and the file extension replaced by the EXE format. The W32.Madag.A will attempt to illegally terminate specific programs based on a list of predetermined text strings hard coded into its body.