Maslam.A and Maslam.B affect computers running Windows 95/98/ME/NT/2000/XP, by exploiting the LSASS vulnerability. They send themselves out via email using their own SMTP engine. Both worms have the following characteristics.
– They monitor Internet Explorer Windows, searching for those containing the following strings: evocash, e-bullion, e-gold, mail, bank, trade or paypal. When they find one, they log all the information entered by the user and sent it to a website.
– They search for files with the extension rar, zip, pif or exe, and which have the following text strings in the path name: distr, download, setup or share, and then replace these files with copies of themselves.
– When they are run they display an error message on screen.
The main difference between the A and B variants of Maslam is the name of the file attached to the message in which they are sent and the text that appears in the subject field of the email.
The other two worms that we are looking at in today’s report are the D and E variants of Atak, which spread via email in messages with variable characteristics. The emails include an attachment with the extension bat, com, exe, pif or scr. This file is sometimes compressed in a zip file. Both of these worms also spoof the email address o the sender in order to trick the recipient.
Atak.D and Atak.E also have the following characteristics:
– They use their own SMTP engine to send themselves to address obtained from the computers they infect.
– In the Windows system directory, they create a copy of the worms -in the case of Atak.D this file is called A1G.EXE, and with Atak.E it is called DAPDLL.EXE.
– They edit a registry entry to ensure it is run every time the system is started up.
The main differences between Atak D and E are:
– Atak.D is 12037 bytes when compressed with FSG, while the E variant is 11189 bytes.
– The mutex they create to make sure there is no more than copy of the worm running at a time is different for each worm.