Aliases: Win32.Madang.B, W32/Madangel.b, W32/Madang-Fam, Virus:Win32/Madang.A, Win32/MaDang.B
Variants: Virus.Win32.Small.l, PE_MADANGEL.D-O, Virus.Win32.Small, W32/Guarder, Win32.Madang

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 06 Jul 2006
Damage: Medium

Characteristics: This threat employs a propagation technique which allows it to take advantage of poorly protected network shares as transport mechanism to spread its infection to other network clients and its environment. The W32.Madangel malware will infect all executable files that are found in the compromised machine including those located in shared network drives. It is likewise capable of downloading and launching remote malicious files by lowering the default security settings of the infected computer system.

More details about W32.Madangel

This threat will initially execute by creating two executable files with two different filenames. These two executable files are actually copies of the W32.Madangel malware itself. These files will be accompanied by a Dynamic Link Library file that has the same filename as its extension. This accompanying file is a copy of the downloader component of the W32.Madangel which allows it to retrieve remote files. The Windows Registry will be inspected by this malware to check for the presence of its marker. When found the threat will terminate, however, if absent, the W32.Madangel will proceed to create one. After successfully modifying the Windows Registry it will try to illegally terminate specific antivirus application services running in the infected computer system.

The W32.Madangel will inject its Dynamic Link Library file into either the Internet Explorer or Windows Explorer process to hook specific functionalities. Hooking the Web browser allows the W32.Madangel to discretely download malicious files from a predefined Internet server without the user's knowledge. The hooking of the Windows Explorer process allows the W32.Madangel to secretly search the contents of the computer system to locate executable files starting from drive C up to Y. An initialization file with system and hidden attributes will be created by the threat in the storage device where the malware has successfully infected executable files.