Threat behavior
Win32/Maslan drops several files in the Windows system folder, including a .dll component, a Trojan-downloader component, a stealth component, a MIME-encoded copy of the worm file, and a variant of Win32/Sdbot. The names of many of the dropped files begin with the string "___" (three successive underscore characters). The worm also modifies several registry keys in order to run automatically each time Windows starts.
The worm injects the .dll component into various processes. The .dll code may bypass a local firewall with full network access because its connections are started from system processes. The .dll code performs several functions, including the following:
Win32/Maslan may install a stealth component that hides file and directory names that contain the string "___". This component intercepts results returned by certain Windows API calls and replaces any entry in the results that contains "___" with ".". Most file-viewing applications, such as Windows Explorer, do not display entries named ".". This is because "." merely indicates the current directory. Therefore, in most file viewers the renamed files and directories are hidden from the user.
At least one variant of Win32/Maslan does not have stealth capabilities. This variant prefixes the names of files it drops with the string "ODBC" (instead of "___"), which may lead the user to believe that the files are legitimate.
Win32/Maslan terminates various processes, primarily processes related to computer security. The worm logs user keystrokes in windows with titles containing strings such as "bank". It also conducts denial of service attacks against certain Web sites.
The worm spreads in the following ways:
Prevention