From Sophos: http://www.sophos.com/ "Aliases HackTool.Win32.Hucline, Bat/Muma-A Type Batch file worm Detection A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the August 2003 (3.72) release of Sophos Anti-Virus. At the time of writing Sophos has received just one report of this worm from the wild. Description Bat/Mumu-B, like Bat/Mumu-A, is a network worm that consists of a collection of hacking tools and scripts used to discover and exploit common configuration problems of the IPC$ share on Windows computers. Vulnerable systems are found by scanning random IP addresses. The worm spreads by copying the files ntservice.bat and ipcnl.exe to the Windows system32 folder of the remote machine. Bat/Mumu-B uses the Trojan Troj/Hacline-A to scan remote machines. The worm starts the Trojan Troj/PcGhost that logs keystrokes and steals passwords and attempts to send them to a preconfigured email account at certain intervals. Bat/Mumu-B also attempts to weaken the security of the computer by creating an Administrator account for the username KKKKKKK. Bat/Mumu-A mainly consists of the following BAT files: 10.BAT HACK.BAT IPC.BAT MUMA.BAT NEAR.BAT RANDOM.BAT REPLACE.BAT START.BAT SS.BAT with TXT files: IPCPASS.TXT NWIZE.IN_ NTSERVICE.INI SPACE.TXT TIHUAN.TXT and also contains the following clean executables: PSEXEC.EXE (A networking utility) REP.EXE (A string manipulation utility) PCMSG.DLL (A legitimate utility associated with logging keystrokes). NTSERVICE.EXE (A utility to start services under Windows NT)" Regards, Jade.