Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Alias:
Type:Worm 
Size:54.784 Bytes 
Origin: 
Date:12-06-2004 
Damage: 
VDF Version:6.28.00.107 
Danger:Medium 
Distribution:Medium 

General DescriptionAffected platforms: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003

SymptomsDamage routine:
- email sending;
- takes advantage of the LSASS security vulnerability.

DistributionWorm/Maslan.B carries its own SMTP engine, which permits him virulent to send stand-alone. It collects all email addresses from the system and stores these emails in the file "___m", in order to send them later.

The email has the following structure:

FROM: %spoofed%

SUBJECT:
123

BODY:
Hello %random_name%,--Best regards,

ATTACHMENT:
PlayGirls_2.exe

Technical DetailsWhen the worm/Maslan.B is executed, it creates the following files; these are not safe for the user as long as the worm is active in the working directory:

\%SystemDIR%\___u (filesize: 54.784 bytes)

\%SystemDIR%\___r.exe (filesize: 49.445 bytes)

\%SystemDIR%\___j.dll (filesize: 21.504 bytes)

\%SystemDIR%\___n.EXE (filesize: 15.872 bytes)

\%SystemDIR%\___synmgr.exe (filesize: 15.872 bytes)

\%SystemDIR%\___t (filesize: ~ bytes)

\%SystemDIR%\___Prior (filesize: ~ bytes)

\%SystemDIR%\___e (filesize: 74.972 bytes)

\%SystemDIR%\___m (filesize: ~ bytes)

\%WindowDIR%\a (filesize: ca. 57 bytes, batchfile)

\%SystemDIR%\AlaFtp (filesize: ~ bytes)

\%SystemDIR%\AlaDdos (filesize: ~ bytes)

\%SystemDIR%\AlaScan (filesize: ~ bytes)

\%SystemDIR%\AlaMail (filesize: ~ bytes)

c:\___b\*.*

The worm creates the following entries in the windows registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"Microsoft Synchronization Manager"="___synmgr.exe"
"Microsoft Windows DHCP"="\%WindowDIR%\___r.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\RunServices]
"Microsoft Synchronization Manager"="___synmgr.exe"

[HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run]
"Microsoft Synchronization Manager"="___synmgr.exe"

Worm/Maslan.B takes advantage of the Local Security Authority Subsystem Service (LSASS) security vulnerability. In order to do that, the worm scans the IP adresses domain view. Supposed that the worm didn't find a packed Calculator, it takes advantage of the LSASS exploit from the already infected Calculator in order to download and execute the file "___u.exe" over a FTP command.


The Worm/Maslan.B also contains an IRCServer and can accept IRC commands using an IRC bot:

screencap, shell, syn, dld, upd, execute, download, update, syn = ddos


Worm/Maslan.B kills the following active processes:

_AVPM.EXE, _AVPCC.EXE, _AVP32.EXE, ZONEALARM.EXE, ZAPSETUP3001.EXE, ZONALM2601.EXE, ZAPRO.EXE, VIRUSMD, PERSONALFIREWALL.EXE, VIR-HELP.EXE, VFSETUP.EXE, TAUMON.EXE, TASKMON.EXE, RESCUE32.EXE, PROCESSMONITOR.EXE, PADMIN.EXE, OUTPOSTINSTALL.EXE, OUTPOST.EXE, NPROTECT.EXE, NORTON_INTERNET_SECU_3.0_407.EXE, NETUTILS.EXE, NETMON.EXE, NC2000.EXE, NAVWNT.EXE, NAVW32.EXE, NAVDX.EXE, AUTO-PROTECT.NAV80TRY.EXE, NAV.EXE, KILLPROCESSSETUP161.EXE, KERIO-WRP-421-EN-WIN.EXE, KERIO-WRL-421-EN-WIN.EXE, KERIO-PF-213-EN-WIN.EXE, KAVPF.EXE, KAVPERS40ENG.EXE, KAVLITE40ENG.EXE, JAMMER.EXE, GUARDDOG.EXE, GUARD.EXE, DRWEBUPW.EXE, DRWEB32.EXE, DRWATSON.EXE, CLICK.EXE, CLEANPC.EXE, CLEANER3.EXE, CLEANER.EXE, AVPUPD.EXE, AVPTC32.EXE, AVPM.EXE, AVPDOS32.EXE, AVPCC.EXE, AVP32.EXE, AVP.EXE, AVKWCTl9.EXE, AVKSERVICE.EXE, AVKSERV.EXE, AVKPOP.EXE, AVGUARD.EXE, AUTOUPDATE.EXE, AUPDATE.EXE, ATGUARD.EXE, ANTIVIRUS.EXE und ANTI-TROJAN.EXE

The worm contains the following text in its virulent EXE files:

-{ Hah... MyDoom, Bagle, etc... since then you do not have future more! }-
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.