The following has been derived from information provided by Computer Associates, F-Secure, Network Associates and Symantec.

Virus Characteristics

This worm is written in Borland C and contains its own SMTP engine. It is 240KB UPX compressed, or 622Kb uncompressed. It will arrive as an email with the following characteristics:

From: EROTIKA.LAP.HU

Subject: Maya Gold-os kepernyokimelo!

Message Body:
Tisztelt cím!
Az EROTIKA.LAP.HU nézettségének növelése érdekében egy kis ízelítőt kíván adni kínálatából az Internet felhasználóknak!
FIGYELEM: A 'Maya Gold.scr' nevű csatolt állomány egy képernyővédő.
Mint a neve is mutatja Maya Gold pornószínésznőről tartalmaz különböző képeket.
Az állományt ajánlott előbb a lemezre menteni, majd utána futtatni.

Amennyiben valami problémája, kérdése van, írjon a következő címre:
erotika@lap.hu

Üdvözlettel: EROTIKA.LAP.HU

Attachment: Maya Gold.scr

This worm will send itself to all contacts in the Windows Address Book as well as email addresses found in the following file types: HTM, HTML, and HTA.


Payload

Upon manual execution of the virus, it will popup a message box with the following characteristics:

DirectX

DirectX error!
Address:0002R1A9V8E52000

It will drop copies of itself in the WINDOWS folder under the following names:

raVe.exe
Maya Gold.scr
\raVe\Maya Gold.scr

It will attempt to terminate services with the following strings in their name:

NORT
AFEE
ANTI
VIR
PROT
AV

It will add the value "C:\WINDOWS\raVe.exe "%1" %* to the following registry keys, which cause the virus to execute whenever an EXE file, a COM file, a PIF file, and an SCR file is launched:

HKEY_CLASSES_ROOT\batfile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\piffile\shell\open\command
HKEY_CLASSES_ROOT\scrfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\open\command


It will add the value "raVe"="%Windir%\raVe.exe" to the following registry keys, which cause the virus to execute on Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

The worm will drop itself as Maya Gold.scr into several P2P file-sharing application folders:
\Limewire\Share\
\Gnucleus\Downloads\
\Gnucleus\Downloads\Incoming\
\Shareaza\Downloads\
\Bearshare\Shared\
\Edonkey2000\Incoming\
\Morpheus\My Shared Folder\
\Grokster\My Grokster\
\ICQ\Shared Files\
\Edonkey2000\

It will also has the ability to spread via IRC and ICQ.

Other payloads may include the following:

The creation of several shortcuts on the desktop.
Preventing the mouse from being moved to the Windows menu bar.
Adding the following string " =:-) OFFSPRING is coOL =:-) PUNK'S NOT DEAD =:-)" to selected Windows.
Terminating processes with string "Maya Gold.scr" in their memory space.
Ejecting the CD tray.
Changing screen display colors.
Creating 2,000 files named raVe*.txt which are 0 bytes in size.


Preventative Measures

Block all files named "Maya Gold.scr" at the messaging gateway whenever possible.


Fixes Available

Network Associates:
Minimum DAT: 4268
Release Date: 06/05/2003
Minimum Engine: 4.1.60

Symantec:
Virus Definitions (Intelligent Updater): May 30, 2003
Virus Definitions (LiveUpdate): June 4, 2003