MUMA
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Propagates via network shares
MUMA is a family of worms that spreads via network shares. It propagates by penetrating systems with weak administrator passwords and copying its program to vulnerable systems. In addition, it also uses multiple components in order to execute its intended routines.
When executed, MUMA variants steal information such as usernames and passwords. They also log keystrokes and send gathered information through email. These malware are used to disrupt normal operations by continually scanning the network for vulnerable systems.
TECHNICAL DETAILS
Yes
Steals information
Installation
This worm drops the following component file(s):
- %System%\IPCPass.txt
- %System%\psexec.exe
- %System%\kavfind.exe
- %System%\last.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
It drops the following copies of itself into the affected system:
- %System%\mumu.exe
- Admin$\system32\mumu.exe
- Admin$\Winnt\MUMU.EXE
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\mumu
{first 3 octet of the machine's IP address} = "{random hex}"
It adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\mumu