Summary

Maslan is a multi-component stealth (uses rootkit functionality) worm that drops an IRC backdoor to a computer. It can steal personal data (spying component), organize a DoS (Denial of Service) attack, spread in e-mails and to remote computers by using the LSASS and DCOM exploits. Most likely the worm was manufactured in Russia.

Additional Details

Installation to system

When the worm's file is run, it drops a few files to Windows System folder:

___j.dll - performs DDoS, opens ftp server, scans computers ___n.exe - IRC backdoor file ___r.exe - main component of the worm ___u - copy of a worm's dropper ___m - storage for collected e-mail addresses ___e - mime-encoded copy of the worm's dropper ___t - ASCII file with a number (net address)
The worm can also create the following files (they indicate actions that the worm is currently doing):

___Prior - not doing any action ___AlaMail - spreading in e-mails ___AlaScan - scanning for vulnerable computers ___AlaDdos - performing a DDoS attack ___AlaFtp - ftp server is active
The worm uses rootkit techniques to hide its presence in a system. When the worm is active in memory, all the above listed files are hidden. Moreover, all folders and files that have '___' (3 underscore characters) string in the their names are hidden as well. When viewed from the Command shell (CMD.EXE) the hidden files and folders names are represented by a single dot character: '.' .

The worm creates several startup keys for its files in the Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "Microsoft Synchronization Manager" = "___synmgr.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Microsoft Synchronization Manager" = "___synmgr.exe" "Microsoft Windows DHCP" = "%WinSysDir%\___r.exe"
where %WinSysDir% represents the Windows System folder (for example 'C:\Windows\System32\' on a default installation of Windows).

The worm creates a mutex named 'ALAxALA' when run.



Spreading in E-mails

Before spreading in e-mails the worm scans all hard drives and RAM disks for victims' e-mail addresses. The worm scans files with these extensions:

adb asp cfg cgi dbx dhtm eml htm jsp mbx mdx mht mmf msg nch ods oft php pl sht shtm stm tbb txt uin wab wsh xls xml
The worm ignores e-mail addresses with any of the following substrings:

abuse secur www spam spm root info samples postmaster webmaster noone nobody nothing anyone someone your you me bugs rating site contact soft no somebody privacy service help not submit feste ca gold-certs the.bat page test admin ntivi listserv certific accoun subscribe avp syma panda sopho borlan inpris example mydomai nodomai mysqlruslis foo. berkeley unix math bsd mit.e gnu fsf. ibm.com google kernel linux fido usenet iana ietf rfc-ed sendmail arin. ripe. isi.e isc.o secur acketst pgp tanford.e utgers.ed mozilla
The infected e-mail has the following characteristic:

Subject: 123
Body: Hello <name>
-- Best regards, <name> <e-mail>
Attachment: PlayGirls2.exe
The worm fakes the sender's address. The user's first name for the fake address is selected from the following variants:

Maria Anna Andrew Liza Alan Robert Ivan Helen Chris Arnold Peter Steven Angel John Mackye Sarah Christian
The user's last name for the fake address is selected from the following variants:

Smith Ghisler Carter Lopez Conor Green Goldberg Kutcher Kramer Bernard Ruben Nelson Jackson Scott Miller
The domain name for the fake address is selected from the following variants:

msn.com yahoo.com hotmail.com freemail.com mail.com


Stealing Personal Information

The trojan tries to steal personal information from online banks and on-line payment systems users. The trojan monitors open application windows and if it finds any of the following text strings there:

evocash e-bullion e-gold mail bank trade paypal
it steals information that is entered on these pages and uploads it to the www.avestfund.info website. The trojan can also steal e-mail addresses that are found on an infected computer.



Spreading by Using Exploits

The worm can spread to remote computers using LSASS and DCOM exploits. The worm scans remote computers on TCP ports 445 and 135. When a vulnerable computer is found, the worm copies itself there.



Opening an Ftp Server

The worm opens an ftp server with limited functionality on an infected computer. When active, the worm listens on TCP port 50 and if connection is established, starts the ftp server.



Payload

The worm scans a hard drive and replaces executable files with its dropper inside the folders that have the following substrings in their names:

download distr setup share
The original files are stored inside the '___b' folder that is created by the worm in the root of C: drive. The worm uses its rootkit techniques to hide this folder. As a result of this payload, disinfection of the worm gets difficult because all original files have to be moved back.

Additionally the worm can perform a DoS (Denial of Service) attack against the following websites:

kavkazcenter.com kavkazcenter.net kavkazcenter.info kavkaz.uk.com kavkaz.org.uk kavkaz.tv chechenpress.com chechenpress.info
These sites belong to Chechen separatists who are fighting with Russian army in Chechnya.



A message to Other Virus Writers.

The worm has the following message to other virus writers including Mydoom and Bagle authors:

-{ Hah... MyDoom, Bagle, etc... since then you do not have future more! }-

Detection

Detection for this malware was published on December 5th, 2004 in the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]
Version=2004-12-05_01



Technical Details: F-Secure Anti-Virus Research Team, December 8th, 2004;

Description Updated: F-Secure Anti-Virus Research Team, March 3rd, 2005;