Bat/Mumu-B

Discussion in 'malware problems & news' started by Bowserman, Jun 18, 2003.

Thread Status:
Not open for further replies.
  1. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    From Sophos: http://www.sophos.com/

    "Aliases
    HackTool.Win32.Hucline, Bat/Muma-A

    Type
    Batch file worm

    Detection
    A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the August 2003 (3.72) release of Sophos Anti-Virus.

    At the time of writing Sophos has received just one report of this worm from the wild.


    Description
    Bat/Mumu-B, like Bat/Mumu-A, is a network worm that consists of a collection of hacking tools and scripts used to discover and exploit common configuration problems of the IPC$ share on Windows computers.

    Vulnerable systems are found by scanning random IP addresses. The worm spreads by copying the files ntservice.bat and ipcnl.exe to the Windows system32 folder of the remote machine.

    Bat/Mumu-B uses the Trojan Troj/Hacline-A to scan remote machines.

    The worm starts the Trojan Troj/PcGhost that logs keystrokes and steals passwords and attempts to send them to a preconfigured email account at certain intervals.

    Bat/Mumu-B also attempts to weaken the security of the computer by creating an Administrator account for the username KKKKKKK.

    Bat/Mumu-A mainly consists of the following BAT files:
    10.BAT
    HACK.BAT
    IPC.BAT
    MUMA.BAT
    NEAR.BAT
    RANDOM.BAT
    REPLACE.BAT
    START.BAT
    SS.BAT

    with TXT files:
    IPCPASS.TXT
    NWIZE.IN_
    NTSERVICE.INI
    SPACE.TXT
    TIHUAN.TXT

    and also contains the following clean executables:
    PSEXEC.EXE (A networking utility)
    REP.EXE (A string manipulation utility)
    PCMSG.DLL (A legitimate utility associated with logging keystrokes).
    NTSERVICE.EXE (A utility to start services under Windows NT)"


    Regards, Jade.
     
Thread Status:
Not open for further replies.