Anti-Chechen virus mocks MyDoom author
The Maslan virus, which was first discovered on Monday, tries to shut down any antivirus applications and then opens a back door on the infected system. Unusually, the virus then launches a DDoS attack on a number of Chechen news sites.
According to European antivirus firm F-Secure, Maslan uses a technique called SYN flooding, which means an infected system constantly requests pages from the target Web sites in the hope of overloading the server.
The virus attacks chechenpress.com, chechenpress.info, kavkaz.org.uk, kavkaz.tv, kavkaz.uk.com, kavkazcenter.com, kavkazcenter.info, kavkazcenter.net.
Mark Sinclair, technical services manager at antivirus firm Trend Micro, said Maslan was unlikely to be successful at taking down any of the target sites because it exploits the LSASS and RPC vulnerabilities in Windows. Microsoft issued a patch for both these vulnerabilities months ago.
"There will still be a lot of systems out there that are unpatched but the virus would have been far more effective if it had taken advantage of some more recent vulnerabilities," said Sinclair.
Sinclair describes Maslan as "very well crafted" and said it was unusual for a virus to be so blatant in its political motivation.
"The virus is very well crafted -- it is a really unusual mixture of bits and pieces. It is also unusual to see virus writers taking such clinical motivated action," said Sinclair.
Sinclair also revealed that Maslan contains a badly worded message that seems to be mocking the MyDoom and Bagle virus authors.
"The message says, 'hah. mydoom bagle etc. since then you do not have future more'. It doesn't make much sense," said Sinclair.
Earlier this year rival virus authors were frequently exchanging insults using text hidden inside the malware's code.
At the time, a variant of Bagle contained a line of text that said: "Hey, NetSky...don't ruine our bussiness, wanna start a war?" In response, a new NetSky variant (F) contained the message: "Skynet AntiVirus - Bagle - you are a looser!!!!".