PE_MUMAWOW.BD-2

October 12, 2012

ALIASES:

TrojanDownloader:Win32/Small.gen!F (Microsoft); W32/Tufik (McAfee); W32.Tufik.B!inf (Symantec); Virus.Win32.Agent.ce (Kaspersky); BehavesLike.Win32.Malware.dlw (mx-v) (Sunbelt); Win32.Tufik.N (FSecure)

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

TECHNICAL DETAILS

File Size:

410,112 bytes

File Type:

EXE

Memory Resident:

Initial Samples Received Date:

06 Feb 2012

Arrival Details

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This file infector creates the following folders:

%User Temp%\clt0295a

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Other System Modifications

This file infector adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\International\CpMRU

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
23E594945195F2414803B4D564D2A3A3F5D88B8C
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4C95A9902ABE0777CED18D6ACCC3372D2748381E
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4BA7B9DDD68788E12FF852E1A024204BF286A8F6
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4B421F7515F6AE8A6ECEF97F6982A400A4D9224E
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
47AFB915CDA26D82467B97FA42914468726138DD
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4463C531D7CCC1006794612BB656D3BF8257846F
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
43F9B110D5BAFD48225231B0D0082B372FEF9A54
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
43DDB1FFF3B49B73831407F6BC8B975023D07C50
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4072BA31FEC351438480F62E6CB95508461EAB2F
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
394FF6850B06BE52E51856CC10E180E882B385CC
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
36863563FD5128C7BEA6F005CFE9B43668086CCE
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
2F173F7DE99667AFA57AF80AA2D1B12FAC830338
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
284F55C41A1A7A3F8328D4C262FB376ED6096F24
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
273EE12457FDC4F90C55E82B56167F62F532E547
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
24BA6D6C8A5B5837A48DB5FAE919EA675C94D217
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
24A40A1F573643A67F0A4B0749F6A22BF28ABB6B
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\CA\Certificates\
2D69A20EC4F0CD19037FD6D6246B1EE0EC41BA22
Blob = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DirectDraw\MostRecentApplication
Name = "iexplore.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DirectDraw\MostRecentApplication
ID = "4117b81"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\International\CpMRU
Enable = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\International\CpMRU
Size = "a"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\International\CpMRU
InitHits = "64"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\International\CpMRU
Factor = "14"

Dropping Routine

This file infector drops the following files:

%User Temp%\clt0295a\clpages.cab
%User Temp%\clt0295a\apm_eula.txt
%User Temp%\clt0295a\apm_eula_txt.js
%User Temp%\clt0295a\bullet.gif
%User Temp%\clt0295a\b_arrow.gif
%User Temp%\clt0295a\cl.css
%User Temp%\clt0295a\cloudloader.js
%User Temp%\clt0295a\configure.htm
%User Temp%\clt0295a\download.htm
%User Temp%\clt0295a\error_kmd.htm
%User Temp%\clt0295a\error_p2p.htm
%User Temp%\clt0295a\eula_altnet.htm
%User Temp%\clt0295a\eula_kmd.htm
%User Temp%\clt0295a\eula_kmd_read.htm
%User Temp%\clt0295a\finish.htm
%User Temp%\clt0295a\icon_print.gif
%User Temp%\clt0295a\installing.htm
%User Temp%\clt0295a\kazaa_certified.gif
%User Temp%\clt0295a\kmd_eula.txt
%User Temp%\clt0295a\kmd_eula_txt.js
%User Temp%\clt0295a\tick.gif
%User Temp%\clt0295a\welcome.htm

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Other Details

This file infector connects to the following possibly malicious URL:

http://www.{BLOCKED}yu.com/lsass1.exe

This report is generated via an automated analysis system.

SOLUTION

Minimum Scan Engine:

9.200

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International
- CpMRU

Step 3

Delete this registry value

[ Learn More ]

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\23E594945195F2414803B4D564D2A3A3F5D88B8C
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4C95A9902ABE0777CED18D6ACCC3372D2748381E
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4BA7B9DDD68788E12FF852E1A024204BF286A8F6
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4B421F7515F6AE8A6ECEF97F6982A400A4D9224E
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47AFB915CDA26D82467B97FA42914468726138DD
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4463C531D7CCC1006794612BB656D3BF8257846F
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\43F9B110D5BAFD48225231B0D0082B372FEF9A54
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\43DDB1FFF3B49B73831407F6BC8B975023D07C50
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4072BA31FEC351438480F62E6CB95508461EAB2F
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\394FF6850B06BE52E51856CC10E180E882B385CC
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36863563FD5128C7BEA6F005CFE9B43668086CCE
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F173F7DE99667AFA57AF80AA2D1B12FAC830338
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\284F55C41A1A7A3F8328D4C262FB376ED6096F24
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\273EE12457FDC4F90C55E82B56167F62F532E547
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24BA6D6C8A5B5837A48DB5FAE919EA675C94D217
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24A40A1F573643A67F0A4B0749F6A22BF28ABB6B
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2D69A20EC4F0CD19037FD6D6246B1EE0EC41BA22
- Blob = "{random values}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
- Name = "iexplore.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
- ID = "4117b81"

In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU
- Enable = "1"

In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU
- Size = "a"

In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU
- InitHits = "64"

In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU
- Factor = "14"

To delete the registry value this malware/grayware created:

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>23E594945195F2414803B4D564D2A3A3F5D88B8C
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>4C95A9902ABE0777CED18D6ACCC3372D2748381E
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>4BA7B9DDD68788E12FF852E1A024204BF286A8F6
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>4B421F7515F6AE8A6ECEF97F6982A400A4D9224E
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>47AFB915CDA26D82467B97FA42914468726138DD
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>4463C531D7CCC1006794612BB656D3BF8257846F
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>43F9B110D5BAFD48225231B0D0082B372FEF9A54
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>43DDB1FFF3B49B73831407F6BC8B975023D07C50
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>4072BA31FEC351438480F62E6CB95508461EAB2F
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>394FF6850B06BE52E51856CC10E180E882B385CC
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>36863563FD5128C7BEA6F005CFE9B43668086CCE
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>2F173F7DE99667AFA57AF80AA2D1B12FAC830338
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>284F55C41A1A7A3F8328D4C262FB376ED6096F24
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>273EE12457FDC4F90C55E82B56167F62F532E547
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>24BA6D6C8A5B5837A48DB5FAE919EA675C94D217
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>AuthRoot>Certificates>24A40A1F573643A67F0A4B0749F6A22BF28ABB6B
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>SystemCertificates>CA>Certificates>2D69A20EC4F0CD19037FD6D6246B1EE0EC41BA22
In the right panel, locate and delete the entry:
Blob = "{random values}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>DirectDraw>MostRecentApplication
In the right panel, locate and delete the entry:
Name = "iexplore.exe"
Again In the right panel, locate and delete the entry:
ID = "4117b81"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>International>CpMRU
In the right panel, locate and delete the entry:
Enable = "1"
Again In the right panel, locate and delete the entry:
Size = "a"
Again In the right panel, locate and delete the entry:
InitHits = "64"
Again In the right panel, locate and delete the entry:
Factor = "14"
Close Registry Editor.

Step 4

Search and delete these files

[ Learn More ]

There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

%User Temp%\clt0295a\clpages.cab
%User Temp%\clt0295a\apm_eula.txt
%User Temp%\clt0295a\apm_eula_txt.js
%User Temp%\clt0295a\bullet.gif
%User Temp%\clt0295a\b_arrow.gif
%User Temp%\clt0295a\cl.css
%User Temp%\clt0295a\cloudloader.js
%User Temp%\clt0295a\configure.htm
%User Temp%\clt0295a\download.htm
%User Temp%\clt0295a\error_kmd.htm
%User Temp%\clt0295a\error_p2p.htm
%User Temp%\clt0295a\eula_altnet.htm
%User Temp%\clt0295a\eula_kmd.htm
%User Temp%\clt0295a\eula_kmd_read.htm
%User Temp%\clt0295a\finish.htm
%User Temp%\clt0295a\icon_print.gif
%User Temp%\clt0295a\installing.htm
%User Temp%\clt0295a\kazaa_certified.gif
%User Temp%\clt0295a\kmd_eula.txt
%User Temp%\clt0295a\kmd_eula_txt.js
%User Temp%\clt0295a\tick.gif
%User Temp%\clt0295a\welcome.htm

Step 5

Search and delete this folder

[ Learn More ]

Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.

%User Temp%\clt0295a

Step 6

Scan your computer with your Trend Micro product to clean files detected as PE_MUMAWOW.BD-2. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Did this description help? Tell us how we did.

PE_MUMAWOW.BD-2

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

PE_MUMAWOW.BD-2

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific