PE_MUMAWOW


 ALIASES:

Otwycal, Wowinzi, Cowya

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Infects files, Propagates via removable drives


CAOLYWA is a file infector with worm capabilities, greatly improving its propagation capability. It spreads across computers by dropping copies of itself in removable drives. It has also been seen distributed via the Internet. In 2008, a compromise led to the download of PE_CAOLYWA.E.

This file infector executes commands from its C&C server. It downloads a text file or a configuration file and executes the commands contained in the said configuration file.

This Trojan infects by appending its code to target host files.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes commands from a remote malicious user, effectively compromising the affected system.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Compromises system security, Connects to URLs/IPs

Installation

This Trojan drops the following copies of itself into the affected system:

  • %Windows%\Tasks\0x01xx8p.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following files:

  • {drive letter}:\MSDOS.bat
  • %Windows%\Tasks\explorer.ext
  • %Windows%\Tasks\spoolsv.ext
  • %Windows%\Tasks\SysFile.brk
  • C:\zzz.sys

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

File Infection

This Trojan infects the following file types:

  • . To
  • .GHO
  • .asp
  • .aspx
  • .bat
  • .cgi
  • .cmd
  • .do
  • .exe
  • .htm
  • .html
  • .jsp
  • .php
  • .scr
  • .shtm
  • .shtml
  • .xml

It infects by appending its code to target host files.

It avoids infecting folders containing the following strings:

  • Program Files

It avoids infecting the following files:

  • qq.exe
  • QQDoctor.exe
  • QQDoctorMain.exe

Propagation

This Trojan drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]

open=MSDOS.bat

shell\open={characters}

shell\open\Command=MSDOS.bat

shell\open\Default=1

shell\explore={characters}

shell\explore\Command=MSDOS.bat

Backdoor Routine

This Trojan executes the following commands from a remote malicious user:

  • Access sites
  • Download and execute files
  • Infect files
  • Spread itself via removable drives

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

  • avp.exe
  • kvsrvxp.exe
  • kissvc.exe

Download Routine

This Trojan connects to the following URL(s) to download its configuration file:

  • http://c.{BLOCKED}m.com/config.txt
  • http://w.{BLOCKED}b.cn/config.txt
  • http://x.{BLOCKED}1.net/x.txt

It saves the files it downloads using the following names:

  • %System%\windows.txt

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)