[ISN] 'Playboy' Virus Dropping Dangerous Backdoor

InfoSec News isn at c4i.org
Mon Dec 13 04:56:33 EST 2004


By Ryan Naraine 
December 10, 2004  

Anti-virus vendors have raised the alarm for a new mass-mailing worm
with a dangerous backdoor component.

The worm, called W32.Maslan.C at mm, arrives as an attachment promising
naked photos of Playboy models but, if executed, drops an IRC (Inter
Relay Chat) bot capable of transmitting passwords and sensitive
information back to the virus writer.

According to an alert from McAfee, the backdoor is powerful enough to
terminate the processes of various anti-virus security applications.

The worm also spreads itself via poorly secured network shares and
weak passwords and takes advantage of two known exploits—LSASS and
RPC-DCOM—affecting Microsoft Windows users. Patches for both exploits
have been available for some time, but unpatched machines are
vulnerable to worm infection.

According to Sophos, Maslan-C copies itself to the Windows system
folder and creates a number of other files on the computer which make
up the components of the worm.

It constructs messages using its own SMTP engine and harvests target
e-mail addresses from the victim's machine. The worm uses several
masking techniques including spoofed sender addresses and has been
programmed to monitor Internet Explorer browser sessions to capture
data relating to various financial sites.

An advisory from Symantec rates the risk as low, but distribution
remains high.

The use of naked celebrity images as a virus infection tactic is
nothing new. In the past, virus writers have attached the names of
celebrities such as Anna Kournikova, Britney Spears and Halle Berry to
mass-mailing worms.

More information about the ISN mailing list