MUFANOM
Hiloti, Zefarch, Virtum
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
MUFANOM is a family of Trojans that are dropped by other malware or downloaded by other malware onto systems. When executed, MUFANOM variants drop its component files onto the infected systems. They also attempt to access malicious URLs, which may result in downloading malicious files onto the system and executing them.
Some variants of this malware family may also have other routines, which include monitoring user activity whenever the user accesses certain sites in Internet Explorer. In addition, some variants may install a browser plugin component. This component monitors user browser activities in order to display ads on the user's browser. Some MUFANOM malware were seen to download files from the ZEFARCH malware family.
TECHNICAL DETAILS
Yes
Modifies system registry, Connects to URLs/IPs, Drops files, Downloads files
Installation
This Trojan drops the following files:
- %Windows%\{random file name}.dll
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random letters} = "rundll32.exe "%Windows%\{random file name}.dll",Startup"
Other System Modifications
This Trojan adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\{random letters}
Other Details
This Trojan connects to the following possibly malicious URL:
- {12 random alpha-numeric characters}.{7 random letters}.com