PUA.MSIL.MoveMouse.A

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application drops the following files:

• %Application Data%\Ellanet\Move Mouse\Move Mouse.xml → Contains the selected configurations for the grayware when executed.

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %Application Data%\Ellanet
• %Application Data%Ellanet\Move Mouse

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• d45b30b9-9e65-4d33-a2bc-d6ba6a7500bd

Other System Modifications

This Potentially Unwanted Application adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Move Mouse = {Grayware File Path} → when "Automatically launch Move Mouse at Windows logon" is enabled

Other Details

This Potentially Unwanted Application does the following:

• It is used to prevent Windows from locking the user session or going to sleep
• It has the following Tabs with the following options:
  • Mouse Tab:
  • It contains the following options:
  • PayPal Button → Directs to https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_buttonid=QZTWHD9CRW5XN
  • Twitter Button → Directs to https://twitter.com/movemouse
  • Hole Button → Directs to https://github.com/sw103/movemouse/
  • Actions Tab:
  • It contains the following options:
  • Specify how long the cursor wait to repeat its action.
  • Move mouse pointer → enable to move the mouse cursor.
  • Stealth mode → pointer movement won't be visible on screen.
  • Static mouse pointer position → Set a screen coordinate to position the mouse cursor.
  • Track → Automatically track the cursor location.
  • Click left mouse button → enable to click the left mouse button.
  • Send keystroke → Enable to send a keystroke from the following list:
  • {BACKSPACE}
  • {BREAK}
  • {CAPSLOCK}
  • {DELETE}
  • {DOWN}
  • {END}
  • {ENTER}
  • {ESC}
  • {HELP}
  • {HOME}
  • {INSERT}
  • {LEFT}
  • {NUMLOCK}
  • {PGDN}
  • {PGUP}
  • {PRTSC}
  • {RIGHT}
  • {SCROLLLOCK}
  • {TAB}
  • {UP}
  • {F1}
  • {F2}
  • {F3}
  • {F4}
  • {F5}
  • {F6}
  • {F7}
  • {F8}
  • {F9}
  • {F10}
  • {F11}
  • {F12}
  • {F13}
  • {F14}
  • {F15}
  • {F16}
  • {ADD}
  • {SUBTRACT}
  • {MULTIPLY}
  • {DIVIDE}
  • Activate application → Enable to specify a running application to interact
  • Refresh → To rescan running processes
  • Behaviour Tab: → Customize how the grayware operates within the user session
  • It has the following customization options:
  • Pause when mouse pointer moved → session pauses when user activity is detected(mouse movement or keboard)
  • Automatically resume after X seconds of inactivity → Continue session when specified number of seconds of inactivity is detected.
  • Disable when running on battery → Stop session when detected running on battery power.
  • Enable start/pause hotkeys → Set a hotkey to pause/start the session.
  • Automatically start Move Mouse on launch → Automatically start session when the grayware is executed
  • Automatically launch Move Mouse at Windows logon → Automatically launch the grayware upon Windows Logon
  • Minimise on pause → Minimizes window when the session pauses
  • Minimise on start → Minimizes window when the session starts
  • Minimise to System Tray → Minimizes window to system tray when enabled
  • Script Tab: → enable to execute Script files
  • It has the following options:
  • Execute script when Move Mouse starts → execute a script when session starts
  • Execute script at each interval → execute a script every after interval
  • Execute script when Move Mouse pauses → execute a script when session starts
  • It uses notepad.exe as default editor
  • It supports the following script languages:
  • PowerShell
  • Batch
  • VBScript
  • JScript
  • Schedules Tab → It allows to create a scheduled task when to automatically stop/start the grayware
  • Blackouts Tab → It allows to Create a time slot when to disable the grayware and enter sleeping state.
• It connects to the following URL's:
  • https://{BLOCKED}hubusercontent.com/sw3103/movemouse/master/Mice/Mice.xml
  • https://{BLOCKED}hubusercontent.com/sw3103/movemouse/master//Update_3x.xml