redwolfe_98
Veteran
Gender: 
Posts: 560
|
 |
WORM_MUMU.A (TrendMicro)
« on: Jul 1st, 2003, 3:39am » |
 Quote  Modify
|
The Cows Come Home - WORM_MUMU.A (Medium Risk)
WORM_MUMU.A attempts to spread by locating SMB network file shares, and then penetrating these shares using a list of weak administrator passwords. It runs on Windows 95, 98, ME, NT, 2000, and XP.
Upon execution, this worm drops several files, including two malware components that Trend Micro detects as BAT_SPYBOT.A and TROJ_HACLINE.A.
Upon execution, the component MUMU.EXE drops the following components:
%Windows%\bboy.exe (21KB)
%System%\last.exe (21KB)
%System%\bboy.dll (37KB)
%System%\kavfind.exe (31KB)
%System%\psexec.exe (37KB)
%System%\IPCPass.txt (1KB)
%System%\mumu.exe (295KB)
The file MUMU.EXE is a copy of itself, while BBOY.EXE and LAST.EXE are identical components. BBOY.DLL is used for its key-logging activity. IPCPass.txt contains a list of pre-defined passwords used to penetrate SMB shares. It is detected as BAT_SPYBOT.A. PSEXEC.EXE is a legitimate program and KAVFIND.EXE is a Trojan detected as TROJ_HACLINE.A.
Both MUMU.EXE and LAST.EXE run simultaneously, the latter as the spawn or child process.
This worm also creates a registry entry that allows it to automatically execute at every Windows startup.
If you would like to scan your computer for WORM_MUMU.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/
WORM_MUMU.A is detected and cleaned by Trend Micro pattern file #576 and above.
|
Mischel Internet Security Forum
Reply
Notify of replies
Send Topic
Print
Author
IP Logged
Search
Members
Login
Register