Aliases: WORM_MASANA.A, I-Worm.Masana, W32/Masana-A, Worm/Masana.3, W32/Masana
Variants: Email-Worm.Win32.Masana, Win32.HLLM.Masana, Win32/Masyanya.A, [email protected], I-Worm/Masana

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 06 May 2002
Damage: Low

Characteristics: This threat usually arrives at a vulnerable system as a file attachment from a spiked email. It is a type of mass mailing Worm which will harvest email addresses from HTM format files that are stored in the infected machine. The W32.Masy.Worm will send a copy of itself to all email addresses that it has gathered as part of its spreading routine. This malware has been observed to utilize the Deploit Exploit technique to launch.

More details about W32.Masy.Worm

The carrier email message of the W32.Masy.Worm usually makes use of the text "Masyanya!" in the subject line and has a file attachment that is in an executable format with the filename being the same as the subject line. On initial execution it will drop a copy of its code into the directory folder of the operating system. The will proceed to generate additional EXE and DLL format files to implement its Deploit Exploit function. This feature of the W32.Masy.Worm allows it to take control of a single process and initiate a debug thread using the same process. This will result in the execution of the debug thread with administrative rights. This feature allows the W32.Masy.Worm to create a new user account with administrative privileges.

The W32.Masy.Worm will scan the contents of all files that have the text HTM in its file extension. The email addresses retrieved from these files will be the recipients of the Worm's codes via spiked email message file attachment. The W32.Masy.Worm may send the email message using the Russian language depending on the default language configured in the recipient's computer system. The email message may be sent to another email address presumed to be controlled by the malicious author. Depending on the day of the week the W32.Masy.Worm may perform an ICMP Denial of Service attack on a predetermined website.