The Maslan worm appears to be politically motivated, with infected machines intended to launch a denial-of-service attack against Web sites run by Chechen separatist supporters, antivirus firm Sophos said in an advisory Thursday.
According to Symantec, W32.Maslan.C@mm is a mass-mailing worm that opens a back door and exploits system vulnerabilities on a compromised computer. The worm also steals passwords using a keylogger. In addition, it attempts to attack a series of firewalls and antivirus settings on an infected machine.
The virus controls which e-mail addresses it spreads to, avoiding most Web mail addresses and any others that may report to antivirus or filtering companies, apparently a crude attempt to avoid detection. Panda, Sophos and Symantec have all been blacklisted by the worm, along with words such as "abuse," "privacy" and "spam," which, if they appear an e-mail address, may be an indication of an address used to report unsolicited or malicious mail.
Currently, the e-mail spreading in the wild has the subject line "123" or "12345" and an attached file called "Playgirls2.exe" or "Playgirls_2.exe," security companies said.
Sophos said the virus is timed on the first day of each month to attempt to launch a denial-of-service attack intended to swamp the targeted Web sites with Internet traffic.
Will Sturgeon of Silicon.com reported from London.