WORM_MASLAN.A

[Randy_Bell]

WORM_MASLAN.A is a memory-resident worm that spreads via email, and typically arrives in an attachment called "PlayGirls2.exe. The worm harvests target recipients from certain files found in the system. It also exploits the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability, possibly to aid in its propagation. In addition, this worm has backdoor functionalities that allow remote users to gain virtual control over the infected system. It terminates certain processes associated with antivirus applications, lowering security on the affected system. It also performs denial of service (DoS) attacks on certain Web sites. This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, it drops the following component files in the Windows system folder: ___r.exe, ___n.exe, ___synmgr.exe. It creates two autostart registry entries that allow it to automatically execute at every Windows startup. But, an error in the program then prompts the operating system to report an error message. Clicking OK in the error message terminates the worm component.This worm's code allows it to propagate via email. It gathers email addresses from files with the following extensions, and sends itself: adb asp cfg cgi dbx dhtm eml htm jsp mbx mdx mht mmf msg nch ods oft php sht shtm stm tbb txt uin wab wsh xls xml

The email it sends contains the following details:

Subject: <Name>

Message Body: Hello <Name>,
Best regards,
<Name>

Attachment: PlayGirls2.exe

<Name> is one of the following: Alan Andrew Angel Anna Arnold Bernard Carter Chris Christian Conor Ghisler Goldberg Green Helen Ivan Jackson John Kramer Kutcher Liza Lopez Mackye Maria Miller Nelson Peter Robert Ruben Sarah Scott Smith Steven

This worm also has backdoor functionalities that allow it to connect to an IRC server, where it listens for commands from a remote user, allowing the remote user to perform the following functions: Download and execute files; Log keystrokes; Perform denial of service attack through SYN flooding; Terminate processes; Update itself; Exploit

WORM_MASLAN.A also exploits the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability to remotely execute programs in vulnerable systems. The RPC DCOM Buffer Overflow (MS03-026) allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. Read more on this vulnerability from Microsoft Security Bulletin MS03-026 at http://www.microsoft.com/technet/sec.../ms03-026.mspx.

The worm also terminates several processes associated with antivirus applications, and performs a Denial of Service attack on the following Web sites:chechenpress.com, chechenpress.info, kavkaz.org.uk, kavkaz.tv, kavkaz.uk.com, kavkazcenter.com, kavkazcenter.info, kavkazcenter.net

This worm also searches the Program Files folder and its subdirectories for .EXE files with a path that contains any of the following substrings: distr; download; setup; share

When such an .EXE file is found, it recreates the path of the file in the ___b directory and copies the file afterward. The file’s contents are then replaced with zeroes.

The following text strings are found in the worm body:
-{ Hah… MyDoom, Bagle, etc… since then you do not have future more! }-

If you would like to scan your computer for WORM_MASLAN.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_MASLAN.A is detected and cleaned by Trend Micro pattern file #2.286.10 and above.