Maslan is a multi-component stealth (uses rootkit functionality) worm that drops an IRC backdoor to a computer. It can steal personal data (spying component), organize a DoS (Denial of Service) attack, spread in emails and to remote computers by using the LSASS and DCOM exploits. Most likely the worm was manufactured in Russia.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
When the worm's file is run, it drops a few files to Windows System folder:
___j.dll - performs DDoS, opens ftp server, scans computers ___n.exe - IRC backdoor file ___r.exe - main component of the worm ___u - copy of a worm's dropper ___m - storage for collected email addresses ___e - mime-encoded copy of the worm's dropper ___t - ASCII file with a number (net address)
The worm can also create the following files (they indicate actions that the worm is currently doing):
___Prior - not doing any action ___AlaMail - spreading in emails ___AlaScan - scanning for vulnerable computers ___AlaDdos - performing a DDoS attack ___AlaFtp - ftp server is active
The worm uses rootkit techniques to hide its presence in a system. When the worm is active in memory, all the above listed files are hidden. Moreover, all folders and files that have '___' (3 underscore characters) string in the their names are hidden as well. When viewed from the Command shell (CMD.EXE) the hidden files and folders names are represented by a single dot character: '.' .
The worm creates several startup keys for its files in the Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "Microsoft Synchronization Manager" = "___synmgr.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Microsoft Synchronization Manager" = "___synmgr.exe" "Microsoft Windows DHCP" = "%WinSysDir%\___r.exe"
where %WinSysDir% represents the Windows System folder (for example 'C:\Windows\System32\' on a default installation of Windows).
The worm creates a mutex named 'ALAxALA' when run.
Before spreading in emails the worm scans all hard drives and RAM disks for victims' email addresses. The worm scans files with these extensions:
adb asp cfg cgi dbx dhtm eml htm jsp mbx mdx mht mmf msg nch ods oft php pl sht shtm stm tbb txt uin wab wsh xls xml
The worm ignores email addresses with any of the following substrings:
abuse secur www spam spm root info samples postmaster webmaster noone nobody nothing anyone someone your you me bugs rating site contact soft no somebody privacy service help not submit feste ca gold-certs the.bat page test admin ntivi listserv certific accoun subscribe avp syma panda sopho borlan inpris example mydomai nodomai mysqlruslis foo. berkeley unix math bsd mit.e gnu fsf. ibm.com google kernel linux fido usenet iana ietf rfc-ed sendmail arin. ripe. isi.e isc.o secur acketst pgp tanford.e utgers.ed mozilla
The infected email has the following characteristic:
Subject: 123 Body: Hello [name]-- Best regards, [name] [email] Attachment: PlayGirls2.exe
The worm fakes the sender's address. The user's first name for the fake address is selected from the following variants:
Maria Anna Andrew Liza Alan Robert Ivan Helen Chris Arnold Peter Steven Angel John Mackye Sarah Christian
The user's last name for the fake address is selected from the following variants:
Smith Ghisler Carter Lopez Conor Green Goldberg Kutcher Kramer Bernard Ruben Nelson Jackson Scott Miller
The domain name for the fake address is selected from the following variants:
msn.com yahoo.com hotmail.com freemail.com mail.com
The trojan tries to steal personal information from online banks and on-line payment systems users. The trojan monitors open application windows and if it finds any of the following text strings there:
evocash e-bullion e-gold mail bank trade paypal
it steals information that is entered on these pages and uploads it to the www.avestfund.info website. The trojan can also steal email addresses that are found on an infected computer.
The worm can spread to remote computers using LSASS and DCOM exploits. The worm scans remote computers on TCP ports 445 and 135. When a vulnerable computer is found, the worm copies itself there.
The worm opens an ftp server with limited functionality on an infected computer. When active, the worm listens on TCP port 50 and if connection is established, starts the ftp server.
The worm scans a hard drive and replaces executable files with its dropper inside the folders that have the following substrings in their names:
download distr setup share
The original files are stored inside the '___b' folder that is created by the worm in the root of C: drive. The worm uses its rootkit techniques to hide this folder. As a result of this payload, disinfection of the worm gets difficult because all original files have to be moved back.
Additionally the worm can perform a DoS (Denial of Service) attack against the following websites:
kavkazcenter.com kavkazcenter.net kavkazcenter.info kavkaz.uk.com kavkaz.org.uk kavkaz.tv chechenpress.com chechenpress.info
These sites belong to Chechen separatists who are fighting with Russian army in Chechnya.
The worm has the following message to other virus writers including Mydoom and Bagle authors:
-{ Hah... MyDoom, Bagle, etc... since then you do not have future more! }-