TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_MASLAN.A
Overview
Solution

Malware type: Worm

Aliases: W32/Maslan!irc (McAfee), W32.IRCBot (Symantec), Worm/Maslan.A.IRC (Avira), Troj/Sdbot-RV (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

This worm spreads by sending copies of itself as an email attachment. The email message it sends out has the following details:

Subject: %Name%
Message Body: Hello %Name%,
Best regards,
%Name%
Attachment: PlayGirls2.exe

(Note: %Name% is a variable, which this worm picks out from a list of names listed in its body.)

The worm harvests target recipients from certain files in infected computers, virtually turning affected systems into propagation launch pads.

It also exploits Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability, possibly to aid its propagation.

The RPC DCOM vulnerability allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135. Read more on this vulnerability from Microsoft Security Bulletin MS03-026.

This worm performs a denial of service (DoS) attack against certain Chechen and Islam Web sites by constantly requesting for the sites.

It has backdoor functionalities. It connects to an Internet Relay Chat (IRC) server, where it waits for commands from a malicious user. It processes the commands on the local machine giving remote users virtual control over the infected system.

It terminates certain processes associated with antivirus applications, lowering security on the affected system.

Some telltale signs of infection from this worm are as follows:

  • The following error message box, which this worm displays due to an error:

    error message

  • Presence of these files in the Windows system folder:
    • ___r.exe
    • ___n.exe
    • ___synmgr.exe

  • Folders that start with the string ___b, which contain copies of certain .EXE files

Adminstrators can check their networks for outgoing requests for the targeted sites. This worm may also cause unusual SMTP and mail server congestion. Port 135 traffic may also increase.

This worm's body contains text challenging authors of the prevalent MYDOOM and BAGLE worms:

-{ Hah… MyDoom, Bagle, etc… since then you do not have future more! }-

It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Dec. 7, 2004 8:53:29 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.