Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Maslan.A


Aliases:


Maslan.A
Net-Worm.Win32.Maslan.a, Maslan

Malware

W32

Summary

Maslan is a multi-component stealth (uses rootkit functionality) worm that drops an IRC backdoor to a computer. It can steal personal data (spying component), organize a DoS (Denial of Service) attack, spread in e-mails and to remote computers by using the LSASS and DCOM exploits. Most likely the worm was manufactured in Russia.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details


Installation to system

When the worm's file is run, it drops a few files to Windows System folder:

___j.dll	- performs DDoS, opens ftp server, scans computers
 ___n.exe	- IRC backdoor file
 ___r.exe	- main component of the worm
 ___u		- copy of a worm's dropper
 ___m		- storage for collected e-mail addresses
 ___e		- mime-encoded copy of the worm's dropper
 ___t		- ASCII file with a number (net address)
 

The worm can also create the following files (they indicate actions that the worm is currently doing):

___Prior	- not doing any action
 ___AlaMail	- spreading in e-mails
 ___AlaScan	- scanning for vulnerable computers
 ___AlaDdos	- performing a DDoS attack
 ___AlaFtp      - ftp server is active
 

The worm uses rootkit techniques to hide its presence in a system. When the worm is active in memory, all the above listed files are hidden. Moreover, all folders and files that have '___' (3 underscore characters) string in the their names are hidden as well. When viewed from the Command shell (CMD.EXE) the hidden files and folders names are represented by a single dot character: '.' .

The worm creates several startup keys for its files in the Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "Microsoft Synchronization Manager" = "___synmgr.exe" 
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "Microsoft Synchronization Manager" = "___synmgr.exe"
 "Microsoft Windows DHCP" = "%WinSysDir%\___r.exe"
 

where %WinSysDir% represents the Windows System folder (for example 'C:\Windows\System32\' on a default installation of Windows).

The worm creates a mutex named 'ALAxALA' when run.


Spreading in E-mails

Before spreading in e-mails the worm scans all hard drives and RAM disks for victims' e-mail addresses. The worm scans files with these extensions:

adb
 asp
 cfg
 cgi
 dbx
 dhtm
 eml
 htm
 jsp
 mbx
 mdx
 mht
 mmf
 msg
 nch
 ods
 oft
 php
 pl
 sht
 shtm
 stm
 tbb
 txt
 uin
 wab
 wsh
 xls
 xml

The worm ignores e-mail addresses with any of the following substrings:

abuse
 secur
 www
 spam
 spm
 root
 info
 samples
 postmaster
 webmaster
 noone
 nobody
 nothing
 anyone
 someone
 your
 you
 me
 bugs
 rating
 site
 contact
 soft
 no
 somebody
 privacy
 service
 help
 not
 submit
 feste
 ca
 gold-certs
 the.bat
 page
 test
 admin
 ntivi
 listserv
 certific
 accoun
 subscribe
 avp
 syma
 panda
 sopho
 borlan
 inpris
 example
 mydomai
 nodomai
 mysqlruslis
 foo.
 berkeley
 unix
 math
 bsd
 mit.e
 gnu
 fsf.
 ibm.com
 google
 kernel
 linux
 fido
 usenet
 iana
 ietf
 rfc-ed
 sendmail
 arin.
 ripe.
 isi.e
 isc.o
 secur
 acketst
 pgp
 tanford.e
 utgers.ed
 mozilla

The infected e-mail has the following characteristic:

Subject:
 123 
 
 Body:

 Hello <name> 
  --
 Best regards,
 <name>  <e-mail> 

Attachment:

 PlayGirls2.exe

The worm fakes the sender's address. The user's first name for the fake address is selected from the following variants:

Maria
 Anna
 Andrew
 Liza
 Alan
 Robert
 Ivan
 Helen
 Chris
 Arnold
 Peter
 Steven
 Angel
 John
 Mackye
 Sarah
 Christian

The user's last name for the fake address is selected from the following variants:

Smith
 Ghisler
 Carter
 Lopez
 Conor
 Green
 Goldberg
 Kutcher
 Kramer
 Bernard
 Ruben
 Nelson
 Jackson
 Scott
 Miller

The domain name for the fake address is selected from the following variants:

msn.com
 yahoo.com
 hotmail.com
 freemail.com
 mail.com


Stealing Personal Information

The trojan tries to steal personal information from online banks and on-line payment systems users. The trojan monitors open application windows and if it finds any of the following text strings there:

evocash
 e-bullion
 e-gold
 mail
 bank
 trade
 paypal

it steals information that is entered on these pages and uploads it to the www.avestfund.info website. The trojan can also steal e-mail addresses that are found on an infected computer.


Spreading by Using Exploits

The worm can spread to remote computers using LSASS and DCOM exploits. The worm scans remote computers on TCP ports 445 and 135. When a vulnerable computer is found, the worm copies itself there.


Opening an FTP Server

The worm opens an ftp server with limited functionality on an infected computer. When active, the worm listens on TCP port 50 and if connection is established, starts the ftp server.


Payload

The worm scans a hard drive and replaces executable files with its dropper inside the folders that have the following substrings in their names:

download
 distr
 setup
 share

The original files are stored inside the '___b' folder that is created by the worm in the root of C: drive. The worm uses its rootkit techniques to hide this folder. As a result of this payload, disinfection of the worm gets difficult because all original files have to be moved back.

Additionally the worm can perform a DoS (Denial of Service) attack against the following websites:

kavkazcenter.com
 kavkazcenter.net
 kavkazcenter.info
 kavkaz.uk.com
 kavkaz.org.uk
 kavkaz.tv
 chechenpress.com
 chechenpress.info

These sites belong to Chechen separatists who are fighting with Russian army in Chechnya.


A message to Other Virus Writers.

The worm has the following message to other virus writers including Mydoom and Bagle authors:

-{ Hah... MyDoom, Bagle, etc... since then you do not have future more! }-



Detection

Detection for this malware was published on December 5th, 2004 in the following F-Secure Anti-Virus updates:

Detection Type: PC
Database: 2004-12-05_01



Description Created: F-Secure Anti-Virus Research Team, December 8th, 2004
Description Last Modified: F-Secure Anti-Virus Research Team, March 3rd, 2005



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.