** Virus Alert: W95/Toal@MM  **

This worm has only been seen in the wild in the far-east and in low numbers. It has only gotten some attention due to the subject matter. It only infects Win9x/ME systems, it does not run on WinNT/2000. It arrives attached to emails with various subjects (most relating to Osama Bin Laden). The name of the attachment is BINLADEN_BRASIL.EXE, length can vary.

The worm tries to use a known malformed MIME header exploit to execute the attachment. (see <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp>) When the attachment is run, it drops an .EXE file with a random three letters name into the root of drive C: and into the Windows folder. This file is the main worm executable. The worm also drops a .DLL file into the Windows system folder. This DLL is called INVICTUS.DLL and is a known virus toolkit used by various viruses. It is detected as W32/Invictus.dll virus. This file contains various viral functions used by the worm. The worm cannot function without this file.

Using the viral routines in INVICTUS.DLL, the worm then infects the HH.EXE and EXPLORER.EXE files in the Windows folder. It then alters the file SYSTEM.INI so that the worm is executed at every system startup:

[boot]
shell=Explorer.exe [3 random characters].EXE

The worm obtains a list of email addresses from ICQ White Pages and sends out copies if itself with the infected HH.EXE attached as BINLADEN_BRASIL.EXE. The worm also creates an open share called "BinLaden". This share provides full access to the C drive. After the worm has been running for a certain period of time, it will popup various messages refering to the USA and Osama Bin Laden.