minimal-minimal

BAT/Mumu.worm

BAT/Mumu.worm

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Worm
  • Protection Added: 2003-06-02

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5400.1158

File Length

Varies

Description Added

2003-06-02

Description Modified

2003-06-02

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee
-- Update June 03, 2003 --
Avert has received a handful of field reports of this worm. Files submitted suggest that there may be many more versions of this worm to come. The file names and paths represented here are easily changed, and samples received already deviate from those mentioned. It is also foreseeable that other applications and malware may be thrown in to these scripts and future infections may vary in functionality. This description is meant as a guide.

This worm uses a set of batch files, a few utility programs, and a trojan to spread. It simply copies a set of many different files to target systems, and remotely executes a batch file on that system to spread further. The worm scans for IP addresses to infect, then copies over the various files, and runs again. It does not contain a damaging payload. The worm intends to capture typed keystrokes and send email to a configured address. However, some samples received by AVERT have a key program (PCGhost) replaced with the (nView Desktop Manager). The worm can continue to propagate, spreading this innocent file along the way. PCGhost is a "Potentially Unwanted Program" that monitors system usage, including typed keystrokes, logs this information to a file, and can send the information to a defined email address.

The following files are associated with this worm.

10.BAT Runs HFind.exe, calls other BAT files
hack.bat Attempts to copy all other files to remote share (admin$\system32) and remotely execute START.BAT
HFind.exe IPCScan trojan
ipc.bat Loops through IP list and calls HACK.BAT
IPCPass.txt Temp file
MUMA.BAT Creates log file and runs NWIZ.EXE
NEAR.BAT Creates temp file and calls 10.bat
NWIZe.EXE NVidia Desktop Manager application [Some samples contain the PCGhost application]
NWIZe.INI NWIZe.exe config file
NWIZe.IN_ NWIZe.exe config file
pcMsg.dll PCGhost application file
PSEXEC.EXE Remote Process Launch application
RANDOM.BAT Creates random numbers, used for IP addresses to ping
rep.EXE String replace application
replace.bat Calls rep.exe with parameters
START.BAT Main program that calls other BAT files
tihuan.txt Work file

All Users:
Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

Stand-alone remover
Stinger has been updated to detect and remove the virus and trojan components of this threat.

Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.

  • net share c$ /delete
  • net share d$ /delete
  • net share e$ /delete
  • net share ipc$ /delete
  • net share admin$ /delete
Certain files associated with this threat are considered to be "Potentially Unwanted Programs" and will not be removed with the DAT files.

For VirusScan 4.x users who would like to detect this program on their system, they can run the command line scanner with the /PROGRAM switch.

  1. Click the START button
  2. Click RUN
  3. Type COMMAND and hit ENTER
  4. Type:

    c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c: /program /sub

    and hit ENTER.

Users running VirusScan 7 or later can also enable application or joke detection via the configuration option "Find potentially unwanted programs" (Advanced section - see example below), within the VirusScan GUI as shown below:

Corporate Users:
VSE7-ODS-PROGRAM

This applies for the VirusScan 7 Enterprise On-Access scanner too.

Retail Users:
70retail

This does not apply for the VirusScan 7 Retail On-Access scanner.

The following files should be removed manually, if unwanted (these files are not detected as trojan or virus by the scanner, some are detected as applications):

NOTE: It is possible to have unrelated files bearing the same name on an infected, or non-infected, system. Therefore care should be taken before deleting any file based on the name alone. Additionally, filenames displayed here can vary.

  • A.LOG
  • A.TMP
  • B.TMP
  • IPCPass.txt
  • ntservice.exe
  • NWIZ_.exe
  • NWIZe.IN_
  • pcMsg.dll
  • PSEXEC.EXE
  • rep.EXE
  • space.txt
  • tihuan.txt
Edit the registry
The following registry key should be deleted manually to remove a service that may get created:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Application
It may also be necessary to reset or delete the admin user account and/or remove it from the administrators group.

Additional Windows ME/XP removal considerations

This worm spreads via accessible shares (IPC$ and ADMIN$). Random IP addresses on the local class C subnet are targeted by the worm. It uses the HFind.exe trojan to retrieve accessible IP addresses and share passwords (via a dictionary style attack). This information is used to by the worm to be copied to and execute on the target victim system.

Some strains contain a functioning PCGhost keylogging application and are configured to use the SMTP server SMTP.SINA.COM.CN and send key log files to a SINA.COM address. This is likely to vary in future strains.

Presence of the aforementioned files