Created: 2007-06-25, 19:27:06
Last updated on: 2010-11-26, 09:29:20

Platform: Win32 Type: worm Size: 240640
Date: 2003-05-29

Compressor: UPX
Language: Delphi
Endangered operating system(s): Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000 all...
Non-endangered operating system(s): Windows 3.xx, DOS, Linux, Unix, Solaris all...


The different antivirus applications use different names for the individual viruses and worms. Sometimes an antivirus application identifies the same individual malware using different names for different copies or different viruses and worms are identified with the same name. The informative list below contains the names for the malware given by the most popular antivirus applications. The names can vary using the different versions of the same antivirus application.

antivirus naming
Avast Win32:Magold
AVG I-Worm/Auric.A
BitDefender Win32.Auric.A@mm
e-Trust Win32/Auric.A
F-PROT W32/Auric.A@mm
F-Secure Email-Worm.Win32.Magold.a
Ikarus Email-Worm.Win32.Magold.A
Kaspersky Email-Worm.Win32.Magold.a
McAfee W32/Auric@MM(Virus)
Microsoft Win32/Auric.A@mm
NOD32 (ESET) Win32/Auric.A:UPX
Panda W32/Auric
Rising Antivirus Worm.Magold.a
Sophos W32/Magold-A
Trend Micro WORM_AURIC.A
VirusBuster I-Worm.Magold.A

organization naming
Wildlist W32/Magold.A-mm


Viruses and worms can initiate some spectacular action. The purpose is usually to attract attention and through the interaction of the user (pushing a button or clicking on the mouse) they make it difficult to automatically proceed the malware in the virtual environment. The worm displays the following window during the installation of its code:


The main purpose of viruses and worms spreading on the Internet and local networks is to infect another computer. After this infection malware can modify the system and after a reboot process the malware code can be launched. For this purpose malware usually creates files in the operating system's area and modify the registry. According to this modification of the registry the operating system will execute the malware code as well. Besides, it is possible that they create files in other area (directory) of the file system. It is also possible that viruses and worms create AUTORUN.INF files in the root directories of the drives. In this case - according to the default settings of Windows - it automatically executes the malware once the user opens the root directory of the particular drive.

The Win32/Auric.A worm in the Windows folder (default: C:\Windows) creates the following files:

  • raVe.exe
  • Maya Gold.scr
  • \raVe

The Win32/Auric.A worm in the Windows System32 folder (default: C:\Windows\System32) creates the raVec.txt files.

The Win32/Auric.A worm in share folders creates the following files:

  • C:\Program Files\Limewire\Share\Maya Gold.scr
  • C:\Program Files\Gnucleus\Downloads\Maya Gold.scr
  • C:\Program Files\Gnucleus\Downloads\Incoming\Maya Gold.scr
  • C:\Program Files\Shareaza\Downloads\Maya Gold.scr
  • C:\Program Files\Bearshare\Shared\Maya Gold.scr
  • more...

image image image image

Win32/Auric.A worm creates the following entries in the registry or modifies it (if it exists already):

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command] "@"="raVe.exe \"%1\" %*"
  • [HKEY_CLASSES_ROOT\Classes\comfile\shell\open\command] "@"="raVe.exe \"%1\" %*"
  • [HKEY_CLASSES_ROOT\Classes\batfile\shell\open\command] "@"="raVe.exe \"%1\" %*"
  • [HKEY_CLASSES_ROOT\Classes\piffile\shell\open\command] "@"="raVe.exe \"%1\" %*"
  • more...

image image image image image image image image

There are several other solutions to activate malware after rebooting the computer. Windows uses several text configuration files that are able to establish an automatic start after each booting process of the computer.

Win32/Auric.A worm inserts the following entries into the "open=" line of AUTORON.INF files:

open=Maya Gold.scr
Viruses and worms can stop the processes related to antivirus solutions and/or firewalls. The first purpose of this is that malware codes can live in the system for a long time. On the other hand if the malware includes a backdoor function then it can work easier. Malware can modify the path of the Internet traffic. Thus some web sites (e.g.: antivirus update pages) become unreachable.

Win32/Auric.A worm stops processes whose names include one of the following strings:

  • VIR
  • NORT
  • AFEE
  • ANTI
Malware can infect other computers using the shared folders. In this case the inquisitive user sitting in the front of the other machine can easily launch the code of the malware.

Win32/Auric.A worm uses the shares of the following applications:

  • Limewire
  • Gnucleus
  • Shareaza
  • Kazaa
  • Bearshare
  • more...

Win32/Auric.A worm uses the following folder as shared folder:

  • \Limewire\Share\
  • \Gnucleus\Downloads\
  • \Gnucleus\Downloads\Incoming\
  • \Shareaza\Downloads\
  • \Bearshare\Shared\
  • more...

E-mail messages

The main aim of worms spreading in e-mail messages is to infect other computers. For this purpose they create and send e-mail messages to various e-mail addresses. The body of these messages usually include the code of the worm, but it is also possible that only a link is attached into the body and the user downloads the code of the worm. E-mail worms can create e-mail messages with various parameters.

Win32/Auric.A worm in order to spread creates e-mail messages and it is used for propagating itself.

The characteristics of the e-mail messages are the following:

The sender address of the infected e-mail is EROTIKA.LAP.HU<> .


The subject of the infected e-mail messages is: Maya Gold-os kepernyokimelo!


The attachment of the infected e-mail message sent by the worm is Maya Gold.scr .


Attacks on the Internet

Viruses and worms can attack other computers on the Internet and disable their use.

The worm tries to connect to the address.

A tool to open the backdoor of the attacked machine can be the installation of an IRC client. Via this IRC connection the attacker can control the computer remotely. It is also possible to send the code of the malware via the IRC connection.

Win32/Auric.A worm uses the following chat clients:

  • mIRC
  • Pirch

Payload functions

Every virus and worm can do what it or its programmer wants. Some malware executes its payload function depending on a particular event, sometimes these functions are executed on specific dates and time.

Win32/Auric.A worm executes the following payload functions:

condition during its operation
activity prevents us from directing the mouse on certain positions (e.g., Address Bar)
condition at random times
  • inserts the =:-) OFFSPRING is coOL =:-) PUNK'S NOT DEAD =:-) character(s) at the beginning of the title section of the infected document
  • creates files on the desktop

  • repaints the window red

  • opens the tray of the CD drive