F-Secure Virus Descriptions : Maslan.A
[Summary] | [Detailed Description] | [Detection]
Maslan is a multi-component stealth (uses rootkit functionality)
worm that drops an IRC backdoor to a computer. It can steal
personal data (spying component), organize a DoS (Denial of
Service) attack, spread in e-mails and to remote computers by
using the LSASS and DCOM exploits. Most likely the worm was
manufactured in Russia.
Installation to system
When the worm's file is run, it drops a few files to Windows
System folder:
___j.dll - performs DDoS, opens ftp server, scans computers
___n.exe - IRC backdoor file
___r.exe - main component of the worm
___u - copy of a worm's dropper
___m - storage for collected e-mail addresses
___e - mime-encoded copy of the worm's dropper
___t - ASCII file with a number (net address)
The worm can also create the following files (they indicate
actions that the worm is currently doing):
___Prior - not doing any action
___AlaMail - spreading in e-mails
___AlaScan - scanning for vulnerable computers
___AlaDdos - performing a DDoS attack
___AlaFtp - ftp server is active
The worm uses rootkit techniques to hide its presence in a
system. When the worm is active in memory, all the above listed
files are hidden. Moreover, all folders and files that have '___'
(3 underscore characters) string in the their names are hidden as
well. When viewed from the Command shell (CMD.EXE) the hidden
files and folders names are represented by a single dot
character: '.' .
The worm creates several startup keys for its files in the
Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Synchronization Manager" = "___synmgr.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Synchronization Manager" = "___synmgr.exe"
"Microsoft Windows DHCP" = "%WinSysDir%\___r.exe"
where %WinSysDir% represents the Windows System folder (for
example 'C:\Windows\System32\' on a default installation of
Windows).
The worm creates a mutex named 'ALAxALA' when run.
Spreading in E-mails
Before spreading in e-mails the worm scans all hard drives and
RAM disks for victims' e-mail addresses. The worm scans files
with these extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml
The worm ignores e-mail addresses with any of the following
substrings:
abuse
secur
www
spam
spm
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
test
admin
ntivi
listserv
certific
accoun
subscribe
avp
syma
panda
sopho
borlan
inpris
example
mydomai
nodomai
mysqlruslis
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
The infected e-mail has the following characteristic:
Subject:
123
Body:
Hello <name>
--
Best regards,
<name> <e-mail>
Attachment:
PlayGirls2.exe
The worm fakes the sender's address. The user's first name for
the fake address is selected from the following variants:
Maria
Anna
Andrew
Liza
Alan
Robert
Ivan
Helen
Chris
Arnold
Peter
Steven
Angel
John
Mackye
Sarah
Christian
The user's last name for the fake address is selected from the
following variants:
Smith
Ghisler
Carter
Lopez
Conor
Green
Goldberg
Kutcher
Kramer
Bernard
Ruben
Nelson
Jackson
Scott
Miller
The domain name for the fake address is selected from the
following variants:
msn.com
yahoo.com
hotmail.com
freemail.com
mail.com
Stealing Personal Information
The trojan tries to steal personal information from online banks
and on-line payment systems users. The trojan monitors open
application windows and if it finds any of the following text
strings there:
evocash
e-bullion
e-gold
mail
bank
trade
paypal
it steals information that is entered on these pages and uploads
it to the www.avestfund.info website. The trojan can also steal
e-mail addresses that are found on an infected computer.
Spreading by Using Exploits
The worm can spread to remote computers using LSASS and DCOM
exploits. The worm scans remote computers on TCP ports 445 and
135. When a vulnerable computer is found, the worm copies itself
there.
Opening an Ftp Server
The worm opens an ftp server with limited functionality on an
infected computer. When active, the worm listens on TCP port 50
and if connection is established, starts the ftp server.
Payload
The worm scans a hard drive and replaces executable files with
its dropper inside the folders that have the following substrings
in their names:
download
distr
setup
share
The original files are stored inside the '___b' folder that is
created by the worm in the root of C: drive. The worm uses its
rootkit techniques to hide this folder. As a result of this
payload, disinfection of the worm gets difficult because all
original files have to be moved back.
Additionally the worm can perform a DoS (Denial of Service)
attack against the following websites:
kavkazcenter.com
kavkazcenter.net
kavkazcenter.info
kavkaz.uk.com
kavkaz.org.uk
kavkaz.tv
chechenpress.com
chechenpress.info
These sites belong to Chechen separatists who are fighting with
Russian army in Chechnya.
A message to Other Virus Writers.
The worm has the following message to other virus writers
including Mydoom and Bagle authors:
-{ Hah... MyDoom, Bagle, etc... since then you do not have future more! }-
Detection for this malware was published on December 5th, 2004 in
the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-12-05_01
Technical Details:
F-Secure Anti-Virus Research Team, December 8th, 2004;
Description Updated:
F-Secure Anti-Virus Research Team, March 3rd, 2005;
F-Secure Corporation
|
![](/images/pixel.gif"){kind=tracking}
