W32/Maslan-B is a Windows worm which spreads by mailing itself to addresses found on the infected computer.
The worm also spreads to network shares with weak passwords and by using the LSASS security exploit (MS04-011) and the RPC-DCOM security exploit (MS03-039).
When run W32/Maslan-B copies itself to the Windows System folder as ___u and creates the files ___e, ___j.dll, ___n.exe and ___r.exe in the Windows System folder.
___n.exe is being detected as Troj/Sdbot-RV.
___j.dll is being detected as W32/Maslan-A.
The worm also creates the following registry entry so that it runs automatically on user logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows DHCP
%SYSTEM%\___r.exe
W32/Maslan-B attempts to create the folder %ROOOT%\___b and also tries to copy itself as random filenames to folders with names that contains the words "share", "setup", "distr" or "download".
The worm also tries to create the following files:
%SYSTEM%\___AlaFtp
%SYSTEM%\___AlaDdos
%SYSTEM%\___AlaMail
%SYSTEM%\___AlaScan
%SYSTEM%\___Prior
%SYSTEM%\___m
%SYSTEM%\___t
These files are non-viral and may be safely deleted.
W32/Maslan-B also attempts to perform distributed denial-of-service (DDoS) attacks.
Emails sent by W32/Maslan-B have the following characteristics:
Subject Title: 123
File attachment: Playgirls2.exe
Message Body:
Hello <random name>,
--Best regards,
<random name>