Home > Threat descriptions >

Maslan.A

Classification

Category: Malware

Type: -

Aliases: Maslan.A, Net-Worm.Win32.Maslan.a, Maslan

Summary


Maslan is a multi-component stealth (uses rootkit functionality) worm that drops an IRC backdoor to a computer. It can steal personal data (spying component), organize a DoS (Denial of Service) attack, spread in emails and to remote computers by using the LSASS and DCOM exploits. Most likely the worm was manufactured in Russia.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Installation to system

When the worm's file is run, it drops a few files to Windows System folder:

___j.dll	- performs DDoS, opens ftp server, scans computers
___n.exe	- IRC backdoor file
___r.exe	- main component of the worm
___u		- copy of a worm's dropper
___m		- storage for collected email addresses
___e		- mime-encoded copy of the worm's dropper
___t		- ASCII file with a number (net address)
 

The worm can also create the following files (they indicate actions that the worm is currently doing):

___Prior	- not doing any action
___AlaMail	- spreading in emails
___AlaScan	- scanning for vulnerable computers
___AlaDdos	- performing a DDoS attack
___AlaFtp
- ftp server is active
 

The worm uses rootkit techniques to hide its presence in a system. When the worm is active in memory, all the above listed files are hidden. Moreover, all folders and files that have '___' (3 underscore characters) string in the their names are hidden as well. When viewed from the Command shell (CMD.EXE) the hidden files and folders names are represented by a single dot character: '.' .

The worm creates several startup keys for its files in the Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Synchronization Manager" = "___synmgr.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Synchronization Manager" = "___synmgr.exe"
"Microsoft Windows DHCP" = "%WinSysDir%\___r.exe"
 

where %WinSysDir% represents the Windows System folder (for example 'C:\Windows\System32\' on a default installation of Windows).

The worm creates a mutex named 'ALAxALA' when run.

Spreading in emails

Before spreading in emails the worm scans all hard drives and RAM disks for victims' email addresses. The worm scans files with these extensions:

adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

The worm ignores email addresses with any of the following substrings:

abuse
secur
www
spam
spm
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
test
admin
ntivi
listserv
certific
accoun
subscribe
avp
syma
panda
sopho
borlan
inpris
example
mydomai
nodomai
mysqlruslis
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla

The infected email has the following characteristic:

Subject:
123 Body:
 Hello [name]--
Best regards,
[name] 
[email]
 Attachment:
 PlayGirls2.exe

The worm fakes the sender's address. The user's first name for the fake address is selected from the following variants:

Maria
Anna
Andrew
Liza
Alan
Robert
Ivan
Helen
Chris
Arnold
Peter
Steven
Angel
John
Mackye
Sarah
Christian

The user's last name for the fake address is selected from the following variants:

Smith
Ghisler
Carter
Lopez
Conor
Green
Goldberg
Kutcher
Kramer
Bernard
Ruben
Nelson
Jackson
Scott
Miller

The domain name for the fake address is selected from the following variants:

msn.com
yahoo.com
hotmail.com
freemail.com
mail.com
Stealing Personal Information

The trojan tries to steal personal information from online banks and on-line payment systems users. The trojan monitors open application windows and if it finds any of the following text strings there:

evocash
e-bullion
e-gold
mail
bank
trade
paypal

it steals information that is entered on these pages and uploads it to the www.avestfund.info website. The trojan can also steal email addresses that are found on an infected computer.

Spreading by Using Exploits

The worm can spread to remote computers using LSASS and DCOM exploits. The worm scans remote computers on TCP ports 445 and 135. When a vulnerable computer is found, the worm copies itself there.

Opening an FTP Server

The worm opens an ftp server with limited functionality on an infected computer. When active, the worm listens on TCP port 50 and if connection is established, starts the ftp server.

Payload

The worm scans a hard drive and replaces executable files with its dropper inside the folders that have the following substrings in their names:

download
distr
setup
share

The original files are stored inside the '___b' folder that is created by the worm in the root of C: drive. The worm uses its rootkit techniques to hide this folder. As a result of this payload, disinfection of the worm gets difficult because all original files have to be moved back.

Additionally the worm can perform a DoS (Denial of Service) attack against the following websites:

kavkazcenter.com
kavkazcenter.net
kavkazcenter.info
kavkaz.uk.com
kavkaz.org.uk
kavkaz.tv
chechenpress.com
chechenpress.info

These sites belong to Chechen separatists who are fighting with Russian army in Chechnya.

A message to Other Virus Writers.

The worm has the following message to other virus writers including Mydoom and Bagle authors:

-{ Hah... MyDoom, Bagle, etc... since then you do not have future more! }-