TROJ_MUMA
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Propagates via network shares
MUMA is a family of worms that spreads via network shares. It propagates by penetrating systems with weak administrator passwords and copying its program to vulnerable systems. In addition, it also uses multiple components in order to execute its intended routines.
When executed, MUMA variants steal information such as usernames and passwords. They also log keystrokes and send gathered information through email. These malware are used to disrupt normal operations by continually scanning the network for vulnerable systems.
TECHNICAL DETAILS
Yes
Steals information
Installation
This Trojan drops the following component file(s):
- %System%\IPCPass.txt
- %System%\psexec.exe
- %System%\kavfind.exe
- %System%\last.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following copies of itself into the affected system:
- %System%\mumu.exe
- Admin$\system32\mumu.exe
- Admin$\Winnt\MUMU.EXE
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Other System Modifications
This Trojan adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\mumu
{first 3 octet of the machine's IP address} = "{random hex}"
It adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\mumu