This worm spreads via the Internet as an attachment to infected messages,
and also via file-sharing networks.
It sends itself to all email addresses harvested from the infected
computer. It also utilizes the LSASS and RPC DCOM vulnerabilities to spread. Information
about these vulnerabilities can be found in Microsoft Security Bulletins MS04-011 and
MS03-039 respectively.
The worm itself is a PE EXE file approximately 49KB in size, packed using
FSG. The unpacked file is approximately 81KB in size.
The worm contains a backdoor function, which receives commands by IRC
channels.
Installation
Once launched, the worm creates the following files in the Windows system
directory:
%System%\___r.exe
%System%\___j.dll
%System%\___n.EXE
%System%\___t
%System%\___AlaMail
%System%\___AlaScan
%System%\___AlaDdos
%System%\___AlaFtp
%System%\___Prior
%System%\___e
%System%\___m
%System%\___m
It then registers itself in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows DHCP" = "%System%\___r.exe"
"Microsoft Synchronization Manager" = "___synmgr.exe"
Maslan.a also creates a unique identifier " ALAxALA" to flag its presence
in the system. This ensures that only one copy of the worm will infect the system.
Propagation via email
The worm harvests email addresses from the Microsoft Outlook address book
and also from files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
|
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml
|
The worm does not send itself to addresses which contain the following
text strings:
abuse
acketst
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
help
iana
ibm.com
ietf
info
inpris
isc.o
isi.e
kernel
linux
math
me
mit.e
mozilla
mydomai
mysql
no
nobody
|
nodomai
noone
not
nothing
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
spam
spm
submit
syma
tanford.e
test
the.bat
unix
usenet
utgers.ed
webmaster
www
you
your
|
When sending infected emails, the worm attempts to establish a direct
connection to recipient's SMTP servers.
Infected messages
Sender (created from the following components
Name:
accoun
admin
Alan
Andrew
Angel
Anna
Arnold
Bernard
Carter
certific
Chris
Christian
Conor
Ghisler
Goldberg
Green
Helen
Ivan
Jackson
|
John
Kramer
Kutcher
listserv
Liza
Lopez
Mackye
Maria
Miller
Nelson
ntivi
Peter
Robert
Ruben
Sarah
Scott
Smith
Steven
subscribe
|
Sender's domain:
aol.com
freemail.com
hotmail.com
mail.com
msn.com
yahoo.com
Message subject:
123
Message body
Hello <random name>,
--Best regards,
Attachment name
Playgirls2.exe
Payload
When using a file-sharing network to propagate, Maslan.a searches the hard disk for .exe files
in directories with the following text in their names:
share
upload
downlo
setup
distr
It then replaces the original file with itself, and copies these files to
a directory named ___b which it creates in the C:\ root.
The worm also attempts to delete a range of firewall and antivirus
applications from the victim machine.
The worm also conducts DoS attacks on the following sites:
kavkazcenter.com
kavkazcenter.net
kavkazcenter.info
kavkaz.uk.com
kavkaz.org.uk
kavkaz.tv
chechenpress.com
chechenpress.info
Remote administration
The worm opens a random TCP port on the victim machine in order to receive
commands via IRC.
Other
Maslan.a contains the following text string:
'Hah: Mydoom, Bagle, etc: since then you do not have future more!'
Check out if we have free
removal tool for this virus
