WORM_MASLAN.D

Malware type: Worm

Aliases: W32/Maslan.d@MM (McAfee), W32.Maslan.A@mm (Symantec), TR/Spy.Agent.JT.3 (Avira), W32/Maslan-D (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm propagates via email. The email addresses it uses as recipients are taken from an infected system.

The following is a summary of the email details it sends out:

SUBJECT: %Name%

MESSAGE BODY:
Hello %Name%,
Best regards,
%Name%

ATTACHMENT:
HotBaby(demo).exe
potato.pif

(Note: %Name% is a variable, which it selects from a list of names hardcoded in its body.)

The worm drops copies of itself into folders with names containing any of the following strings:

  • download
  • distr
  • setup
  • share

It can also penetrate network shares with weak passwords.

This worm also takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability. This vulnerability allows a malicious user to gain full access and execute any code on a target machine, leaving it compromised.

For more information on this vulnerability, refer to the following link:

It can also perform a denial of service attack on certain Web sites.

For additional information about this threat, see:

Description created: Feb. 3, 2005 10:06:26 AM GMT -0800
Description updated: Feb. 11, 2005 3:50:20 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 45,056 Bytes

Initial samples received on: Feb 3, 2005

Vulnerability used:  (MS03-026) Buffer Overrun In RPC Interface Could Allow Code Execution

Details:

Installation and Autostart

Upon execution, this memory-resident worm drops the following files in the Windows system folder:

  • ODBC32<random letter>.exe � copy of itself
  • ODBC32e
  • ODBC32t
  • ODBC32m � contains email addresses taken from an infected system

It also drops the following files in the Windows system folder:

  • _prefect.exe
  • cfg__
  • prefoct.dat
  • winlogon32.dll
  • winlogon32.exe

It copies the contents of the folder C:\Program Files\Common Files\Microsoft Shared into the folder C:\ODBC32b\Program Files\Common Files\Microsoft Shared, making these files appear to have been installed by the worm.

It also creates a mutex named Munjestis.

To enable its automatic execution at every system startup, it creates the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Public Microsoft ODBC = "C:\WINDOWS\System32\ODBC32<random letter>.exe"

Network Propagation

The worm drops copies of itself into folders with names containing any of the following strings:

  • download
  • distr
  • setup
  • share

The worm can also penetrate network shares with weak passwords.

Email Propagation

This worm propagates via email. The email addresses it uses as recipients are taken from an infected system.

The following is a summary of the email details it sends out:

FROM: %First Name%%Last Name%@%Domain%

SUBJECT: %Name%

MESSAGE BODY:
Hello %Name%,
Best regards,
%Name%

ATTACHMENT:
� HotBaby(demo).exe
� potato.pif

%First Name% may be any of the following:

  • Andrew
  • Angel
  • Arnold
  • Chris
  • Christian
  • Helen
  • Mackye
  • Maria
  • Peter
  • Robert
  • Sarah
  • Steven

%Last Name% may be any of the following:

  • Bernard
  • Carter
  • Conor
  • Ghisler
  • Goldberg
  • Green
  • Jackson
  • Kramer
  • Kutcher
  • Lopez
  • Miller
  • Nelson
  • Ruben
  • Scott
  • Smith

%Domain% may be any of the following:

  • aol.com
  • freemail.com
  • hotmail.com
  • mail.com
  • msn.com
  • yahoo.com

%Name% is a variable, which it selects from a list of names hardcoded in its body. It is one of the following:

  • admin
  • Andrew
  • Angel
  • Arnold
  • Bernard
  • Carter
  • Chris
  • Christian
  • Conor
  • Ghisler
  • Goldberg
  • Green
  • Helen
  • Jackson
  • Kramer
  • Kutcher
  • Lopez
  • Mackye
  • Maria
  • Miller
  • Nelson
  • Peter
  • Robert
  • Ruben
  • Sarah
  • Scott
  • Smith
  • Steven

The spoofed addresses are saved in the ODBC32m file created by the worm in the Windows system folder.

User names containg any of the following strings are avoided by the worm:

  • accoun
  • admin
  • certific
  • listserv
  • ntivi
  • subscribe

Domain names containg any of the following strings are also avoided:

  • abuse
  • acketst
  • anyone
  • arin.
  • berkeley
  • borlan
  • contact
  • example
  • feste
  • gold-certs
  • google
  • ibm.com
  • inpris
  • isc.o
  • isi.e
  • kernel
  • linux
  • mit.e
  • mozilla
  • mydomai
  • mysqlruslis
  • nobody
  • nodomai
  • noone
  • nothing
  • panda
  • postmaster
  • privacy
  • rating
  • rfc-ed
  • ripe.
  • samples
  • secur
  • sendmail
  • service
  • somebody
  • someone
  • sopho
  • submit
  • tanford.e
  • the.bat
  • usenet
  • utgers.ed
  • webmaster

Download Routine

The worm downloads files from several URLs. These are saved in the Windows system folder as the following:

  • cfg__ : from http://max-stats.com/cfg1.cfg
  • _prefect.exe : from http://max-stats.com/l/data.bmp
  • prefoct.dat : from http://max-stats.com/l/c2.php?i=11

Exploit

This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability. This vulnerability allows a malicious user to gain full access and execute any code on a target machine, leaving it compromised.

For more information on this vulnerability, refer to the following link:

Denial of Service

This worm performs a denial of service (DoS) attack on certain Web sites.

Other Details

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Analysis By: Marianne Margaret Layador

Updated By: Roaxelle Anne S. Mislang


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.389.01

Pattern release date: Feb 2, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as WORM_MASLAN.D.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro�s online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process.

  1. Open Windows Task Manager.
    � On Windows 95, 98, and ME, press
    CTRL%20ALT%20DELETE
    � On Windows NT, 2000, and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the processes:
    � Lexplore.exe
    � WSVC32.EXE
  3. Select each malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware processes have been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Public Microsoft ODBC = "C:\WINDOWS\System32\ODBC32<random letter>.exe".
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  5. In the right panel, locate and delete the entry:
    cftmon = "<variable value>"
  6. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_MASLAN.D . To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Windows. Download and install the fix patches from the following Web pages:

Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.