TROJ_MUMA

MUMA is a family of worms that spreads via network shares. It propagates by penetrating systems with weak administrator passwords and copying its program to vulnerable systems. In addition, it also uses multiple components in order to execute its intended routines.

When executed, MUMA variants steal information such as usernames and passwords. They also log keystrokes and send gathered information through email. These malware are used to disrupt normal operations by continually scanning the network for vulnerable systems.

Installation

This Trojan drops the following component file(s):

• %System%\IPCPass.txt
• %System%\psexec.exe
• %System%\kavfind.exe
• %System%\last.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

• %System%\mumu.exe
• Admin$\system32\mumu.exe
• Admin$\Winnt\MUMU.EXE

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\mumu
{first 3 octet of the machine's IP address} = "{random hex}"

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\mumu