I-Worm.Masana is a worm virus spreading via the Internet as an attachment to infected emails. The worm itself is a Windows PE EXE file about 107Kb in size – ASPack compresses it, the decompressed size is about 138Kb, written in Delphi.
Infected messages contain the following:
Another variant is the same subject and body as above but in Russian.
The worm activates from infected email only when a user clicks on the attached file. The worm then installs itself into the system, runs its spreading routine and payload.
The worm has bugs in its code; as a result some of its routines don’t work.
While installing the worm copies itself into the Windows system directory with under the msys32.exe name and registers this file in the system registry (under Windows NT) or in the SYSTEM.INI (under Windows 9x) auto-run keys:
Under Windows NT systems the worm gains Admin privileges. To do this the worm uses a breach in Windows NT security (so-called DepPloit exploit).
The Masana worm creates two additional files on disk that manage the exploit:
The worm then creates another copy of itself under the name EEXPLORER.EXE name and by using DepPLoit exploit starts this copy with administrator rights.
To send infected messages the worm uses Windows MAPI functions.
To get victim email addresses Masana:
Each time Masana is run it also sends infected message to the firstname.lastname@example.org address. This message looks as follows: