Muma

Variant:Muma.A

Muma is a network worm that consists of a few batch scripts, a few utilities and a hacker's tool called Hucline. It was first reported in the wild on June 3, 2003.

The worm uses Hucline hacker's tool to scan for vulnerable computers and then it tries to connect to IPC$ share and to copy its files to Windows System folder of remote computers. After that the worm starts its main file on a remote computer and that computer becomes infected and spreads the worm further on.

The worm's package we received contained the following files:

10.BAT A.LOG HACK.BAT HFIND.EXE IPC.BAT IPCPASS.TXT MUMA.BAT NEAR.BAT NTSERVICE.BAT NTSERVICE.EXE NTSERVICE.INI NWIZE.IN_ NWIZ_.EXE PCMSG.DLL PSEXEC.EXE RANDOM.BAT REP.EXE REPLACE.BAT SPACE.TXT SS.BAT START.BAT TIHUAN.TXT

The 10.BAT file is one of the main worm's components. It starts HFIND.EXE hacker's utility to search for vulnerable computers. Then it starts the IPC.BAT file that in its turn calls the spreading script HACK.BAT for all found computers in a loop.

The HFIND.EXE hacker's utility will scan for vulnerable computers and will try to use pre-defined passwords to get access admin share. The passwords are taken from IPCPASS.TXT file.

The IPC.BAT file calls the spreading script HACK.BAT in a loop.

The HACK.BAT file connects to the IPC$ share of a vulnerable computer and copies all the above files to \admin$\System32\ folder which is a Windows System folder of a remote computer. After that the NTSERVICE.BAT file is executed on a remote computer with the help of PSEXEC.EXE utility.

The NTSERVICE.BAT file stops the service called 'Application' and then restarts it with the help of NTSERVICE.EXE file. The new Application service settings are taken from NTSERVICE.INI file and for current worm variant that service is SS.BAT file.

The SS.BAT file adds a user called 'admin' with password 'KKKKKKK' to administrator's group and then uses PSEXEC.EXE utility to activate the START.BAT file for the newly created account. That file is the main worm's component.

The START.BAT file is the main worm's component that performs initial setups for the worm and then calls 10.BAT file to spread itself to other vulnerable computers.

The PCMSG.DLL file is a PCGhost spying utility that allows to monitor activities on an infected computer. It creates a log file where it stores titles of all opened application windows, visited URLs, keyboard and mouse events.

The PSEXEC.EXE file is a utility to start or kill services on remote computers. It is used 2 times by the worm to start needed services.

Other files used are used by the worm at different stages of its life-cycle.

Variant:Muma.B

A difference between this and the previous variant is that, when spreading through the network to new computers, the previous copies 21 files to the remote machine in System32 inside the main Windows folder. The files were:

10.BAT hack.bat HFind.exe ipc.bat IPCPass.txt MUMA.BAT NWIZ_.EXE NWIZe.IN_ pcMsg.dll psexec.exe RANDOM.BAT rep.EXE replace.bat START.BAT tihuan.txt space.txt NEAR.BAT ntservice.exe NTService.ini ntservice.bat SS.bat

This new variant copies only two files, one of them is a zip archive containing all the files belonging to the worm, specifically:

NTSERVICE.BAT IPCNL.EXE

When trying to access computer on the network it attempts to gain access trying default accounts with passwords form the following list:

%null% %username% %username%12 %username%123 %username%1234 123 1234 12345 123456 1234567 12345678 654321 54321 1 111 11111 111111 11111111 000000 00000000 888888 88888888 5201314 pass passwd password sql database admin root secret oracle sybase test server computer Internet super user manager security public private default 1234qwer 123qwe abcd abc123 123abc abc 123asd asdf asdfgh !@#$ !@#$% !@#$%^ !@#$%^& !@#$%^&* !@#$%^&*( !@#$%^&*() KKKKKKK

Variant:Muma.C

Muma.C worm was found in the end of June 2003. The worm speads in local networks. The worm infects only computers with Windows NT, 2000 and XP.

The main worm's file name is MUMU.EXE. The worm itself is an installation package that being run, copies itself as MUMU.EXE to Windows System folder, drops and activates other files. This worm variant drops the following files:

last.exe - data stealing trojan bboy.dll - keylogger DLL that is dropped by the above mentioned trojan psexec.exe - a utility to start or kill services on remote computers kavfind.exe - a hacker's utility to scan for vulnerable computers (Hucline) ipspass.txt - a list of pre-defined passwords

Also the worm drops BBOY.EXE file to Windows folder. This file is identical to LAST.EXE file.

The LAST.EXE data stealing trojan installs a keylogger BBOY.DLL that saves user's passwords to QJINFO.INI file. Then this file is sent to a hacker by email.

The worm scans for vulnerable computers with the help of Hucline utility and if such a computer is found, the worm copies itself as MUMU.EXE file to remote Windows System folder (usually \WinNT\System32\ or \Windows\System32\) and activates that file on a remote computer. A remote computer becomes infected and the worm continues to spread from it.

Variant:Muma.D

The operations performed by this variant differ little from the ones performed by the other known variants.

The worm will scan a local network for hosts to infect. It will copy its files to the hosts found to be vulnerable. The files:

11.BAT 13.BAT ipc2.BAT NWZI.EXE 10.BAT hfind.exe

will be copied into the folder:

%systemdir%\

and it will then copy the local folder "files\" to the remote host as:

%systemdir%\txp\

Where %systemdir% stands for the Windows' System32 folder.

It will then attempt to remotely execute its installation script "osinstall.bat" inside the the txp folder.

This script will call other small script which will copy "folderdel.bat" into

%systemdir%\spool\printers

Scripts contained in this variant are:

10.bat 11.bat 13.bat folderdel.bat hack.bat hacked.bat ipc2.bat mhack.bat osinstall.bat

Apart from the binary tools detected by FSAV.