Aliases: W32/Maddis.worm, WORM_MADDIS.A, Worm/Maddis.B, Proxy.3.BS, W32/Maddis.A.worm
Variants: Trojan-Proxy.Win32.TexLock.b, TrojanProxy.Win32.TexLock.b, Trojan.Texlok, Trojan.Proxy.Texlock.B, Win32/TrojanProxy.TexLock.B

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America, Europe, Australia
Removal: Easy
Platform: W32
Discovered: 12 Apr 2004
Damage: Low

Characteristics: Considered as a potentially dangerous malware, the W32.Maddis.B belongs to a family of threats that prey on vulnerable network shares found in the compromised computer system. It has the capability of injecting its codes into different system critical processes to negatively influence their behavior. Using the x86 Assembly programming language this malware was designed to open multiple unprotected communication ports on the computer system. The machine can be used as a spam relay or proxy.

More details about W32.Maddis.B

This malware will create an executable and a Dynamic Link Library file into the subfolders of the directory where the files of the operating system are located. The W32.Maddis.B will generate a corresponding key value in the Windows Registry which will point to the exact location of its executable file. The Windows Registry will also be used to allow the malware to load automatically with the operating system at every startup or reboot instance of the infected computer system. The W32.Maddis.B will create a service that attempts to mimic the update process of the operating system and hide its true actions. This routine will allow the malware to restart its process every time it is stopped either by antivirus applications or by the computer user.

The Dynamic Link Library file component of the W32.Maddis.B is used to hook different operating system processes and Application Programming Interfaces. This routine is done by this threat in order to connect to Internet servers without being detected by the firewall protection mechanism of the host computer system. The W32.Maddis.B will use predetermined text strings to choose specific values that it will mask. The websites that the malware attempts to connect to are hard coded into the body of the malware. The W32.Maddis.B can use the NetBIOS process of the operating system to scan Local Area Network connections.