Threat Description

Maslan.A

Details

Category: Malware
Platform: W32
Aliases: Maslan.A, Net-Worm.Win32.Maslan.a, Maslan

Summary


Maslan is a multi-component stealth (uses rootkit functionality) worm that drops an IRC backdoor to a computer. It can steal personal data (spying component), organize a DoS (Denial of Service) attack, spread in e-mails and to remote computers by using the LSASS and DCOM exploits. Most likely the worm was manufactured in Russia.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Installation to system

When the worm's file is run, it drops a few files to Windows System folder:

___j.dll	- performs DDoS, opens ftp server, scans computers
___n.exe	- IRC backdoor file
___r.exe	- main component of the worm
___u		- copy of a worm's dropper
___m		- storage for collected e-mail addresses
___e		- mime-encoded copy of the worm's dropper
___t		- ASCII file with a number (net address)
 

The worm can also create the following files (they indicate actions that the worm is currently doing):

___Prior	- not doing any action
___AlaMail	- spreading in e-mails
___AlaScan	- scanning for vulnerable computers
___AlaDdos	- performing a DDoS attack
___AlaFtp


- ftp server is active
 

The worm uses rootkit techniques to hide its presence in a system. When the worm is active in memory, all the above listed files are hidden. Moreover, all folders and files that have '___' (3 underscore characters) string in the their names are hidden as well. When viewed from the Command shell (CMD.EXE) the hidden files and folders names are represented by a single dot character: '.' .

The worm creates several startup keys for its files in the Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Synchronization Manager" = "___synmgr.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Synchronization Manager" = "___synmgr.exe"
"Microsoft Windows DHCP" = "%WinSysDir%\___r.exe"
 

where %WinSysDir% represents the Windows System folder (for example 'C:\Windows\System32\' on a default installation of Windows).

The worm creates a mutex named 'ALAxALA' when run.

Spreading in E-mails

Before spreading in e-mails the worm scans all hard drives and RAM disks for victims' e-mail addresses. The worm scans files with these extensions:

adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

The worm ignores e-mail addresses with any of the following substrings:

abuse
secur
www
spam
spm
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
test
admin
ntivi
listserv
certific
accoun
subscribe
avp
syma
panda
sopho
borlan
inpris
example
mydomai
nodomai
mysqlruslis
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla

The infected e-mail has the following characteristic:

Subject:
123

 Body:
 Hello [name]

--
Best regards,
[name] 
[e-mail]
 Attachment:
 PlayGirls2.exe

The worm fakes the sender's address. The user's first name for the fake address is selected from the following variants:

Maria
Anna
Andrew
Liza
Alan
Robert
Ivan
Helen
Chris
Arnold
Peter
Steven
Angel
John
Mackye
Sarah
Christian

The user's last name for the fake address is selected from the following variants:

Smith
Ghisler
Carter
Lopez
Conor
Green
Goldberg
Kutcher
Kramer
Bernard
Ruben
Nelson
Jackson
Scott
Miller

The domain name for the fake address is selected from the following variants:

msn.com
yahoo.com
hotmail.com
freemail.com
mail.com
Stealing Personal Information

The trojan tries to steal personal information from online banks and on-line payment systems users. The trojan monitors open application windows and if it finds any of the following text strings there:

evocash
e-bullion
e-gold
mail
bank
trade
paypal

it steals information that is entered on these pages and uploads it to the www.avestfund.info website. The trojan can also steal e-mail addresses that are found on an infected computer.

Spreading by Using Exploits

The worm can spread to remote computers using LSASS and DCOM exploits. The worm scans remote computers on TCP ports 445 and 135. When a vulnerable computer is found, the worm copies itself there.

Opening an FTP Server

The worm opens an ftp server with limited functionality on an infected computer. When active, the worm listens on TCP port 50 and if connection is established, starts the ftp server.

Payload

The worm scans a hard drive and replaces executable files with its dropper inside the folders that have the following substrings in their names:

download
distr
setup
share

The original files are stored inside the '___b' folder that is created by the worm in the root of C: drive. The worm uses its rootkit techniques to hide this folder. As a result of this payload, disinfection of the worm gets difficult because all original files have to be moved back.

Additionally the worm can perform a DoS (Denial of Service) attack against the following websites:

kavkazcenter.com
kavkazcenter.net
kavkazcenter.info
kavkaz.uk.com
kavkaz.org.uk
kavkaz.tv
chechenpress.com
chechenpress.info

These sites belong to Chechen separatists who are fighting with Russian army in Chechnya.

A message to Other Virus Writers.

The worm has the following message to other virus writers including Mydoom and Bagle authors:

-{ Hah... MyDoom, Bagle, etc... since then you do not have future more! }-


Detection


Detection for this malware was published on December 5th, 2004 in the following F-Secure Anti-Virus updates:

Detection Type: PC
Database: 2004-12-05_01



Description Details: F-Secure Anti-Virus Research Team, December 8th, 2004
Description Last Modified: F-Secure Anti-Virus Research Team, March 3rd, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More