|  | ||||||||||||||||||||||||||||||||
Name: W32.Masy.Worm
Aliases: WORM_MASANA.A,I-Worm.Masana Variants: Type: Worm Platforms: Windows 32-bit Status: in the wild Threat: V-CON 1 (low) The following has been derived from information provided by Symantec, Trend, and Kaspersky Labs. Virus Characteristics W32.Masy.Worm is a mass-mailing worm that sends itself to addresses that it finds in files that have an extension that contains the letters htm. It also makes use of the Deploit Exploit to execute with administrator rights on Windows NT and Windows 2000. It will also attempt to add a user, masyanechkaa, with administrative rights. It arrives in an email with the following characteristics: Subject: Masyanya! Body: Hi, here is a new film about Masyanya and V.V.Putin!!! Homepage: http: //mult.ru Attachment: Masyanya.exe Depending upon the infected computer's default language, the above email message may be translated to Russian text. The worm also sends the following email message to masyana@nm.ru: Subject: Masyanya! Body: gygygy! Payload Upon execution, it copies itself to a MSYS32.EXE file in the Windows System directory. It then drops the following files in the current directory: ERunAsX.dll ERunAsX.exe Eexplorer.exe = this is a copy of the worm. ERunAsX.exe is a command line driven program that uses the Deploit exploit to run a copy of the Eexplorer.exe with system administrator rights. The worm also uses this exploit and the "net" command to add a user, "masyanechkaa", in the localgroup administrator's account. Due to a bug in its code, however, it fails to add the user. It creates an entry as follows so that it executes upon Windows startup: On Windows 9x/ME systems, it modifies the shell entry in the SYSTEM.INI as follows: [boot] shell=Explorer.exe msys32.exe -dontrunold On Windows 2K/NT systems, it modifies this registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "shell" = "Explorer.exe msys32.exe -dontrunold" To propagate via email, it searches the infected system for HTM* files. It then opens the files and gathers email addresses from these. It uses Messaging Application Programming Interface (MAPI) functions to send itself via email to the gathered email addresses. It also uses the MAPI functions to read and reply to unread email messages of the infected user. This worm modifies the below registry key for Outlook Express 5.0: HKEY_CURRENT_USER\Identities\{Unique Current User Key}\Software\Microsoft\Outlook Express\5.0\Mail Warn on Mapi Send = dword:0000000 On the system day, Monday, it initiates a Denial of Service (DOS) attack to a kavkaz.org Web site. Preventative Measures Block all incoming attachments named Masyanya.exe at the email gateway. Block all incoming messages with the subject Masyanya! Fixes Available Network Associates: No Information available at time of alert. Symantec: Virus Definitions (Intelligent Updater) May 7, 2002 Virus Definitions (LiveUpdate) May 8, 2002 Trend: Pattern File: 272 < - Virus Information Index - >
| | |||||||||||||||||||||||||
