W32.Mari@mm


Aliases: I-Worm.Mari.a, I-Worm/Mari.A, Win32.Mari.A, W32/Mari@MM, Win32/Mari.E@mm
Variants: W32/Marijuana, W95.Smoker.Worm@mm, Email-Worm.Win32.Mari.a, Win32.HLLW.Mari.45056, WORM_MARI.D

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 08 Jun 2001
Damage: Low

Characteristics: As a malware written using the Visual Basic programming language, one of the requisites prior to its execution is that the Visual Basic runtime libraries must be running in the host computer system. If this is met, the W32.Mari@mm will proceed by dropping an executable copy of itself into the directory folder of the operating system and modify the initialization file of the operating system. It will place its own icon at the system tray.

More details about W32.Mari@mm

After successfully installing its executable file component, the W32.Mari@mm will modify the initialization file of the operating system by adding the Load and Open instructions. These commands will allow the executable file of the W32.Mari@mm to be launched as soon as the operating system is loaded. The Windows Registry will also be modified to add its automatic startup value along with the replacement of data associated with the Registered Owner and Registered Organization of the infected computer system. The W32.Mari@mm will replace the contents of these fields with data hard coded into its body. An email message with an executable file attachment will be sent out by the W32.Mari@mm to all contacts found in the address book of the default email client.

The W32.Mari@mm has been observed to modify the default homepage of the Web browser into a website that is predetermined by its malicious author. The W32.Mari@mm will place its marijuana leaf icon in the system tray of the compromised machine right beside the system clock. Once the mouse pointer hovers over the icon a message stating "Legalize It" will be displayed. If the system tray icon is clicked a message box will be displayed by the malware. If the W32.Mari@mm detects the system time as 4:20 in the afternoon it will display a message box titled "The Marijuana Virus!!".