Threat description



Update 2003-06-18 11:00 GMT

Muma.B variant of the worm has been discovered in the wild. The modifications are minimal and mainly lie in the script files controlling the behavior of the worm. Although without affecting to the general actions performed. The changes might have been aimed to render the scripts undetectable.

F-Secure Anti-Virus detects most of the files as they are basically identical to the ones contained in the previous variant.


Disinfection Instructions for Muma.A worm

It is strongly recommended to use FSAV 5.40 or later version to disinfect Muma worm. Disinfection procedure should be as follows:

1. Disable network sharing or kill a network (this is recommended, but not obligatory if you have FSAV 5.40 or later version).

2. Scan all computers with FSAV and the latest updates.

3. Select 'Disinfect' action for all found worm's files. The infected files should be renamed instantly or after system restart.

4. Restart disinfected computers. Make sure that FSAV's on-access scanner is active before restart.

5. After restart it is recommended to re-scan all hard drives with FSAV to make sure that no infections are left.

6. Re-enable network connections (if you disabled them) only after you clean all infected computers.

Important notes:

FSAV might not rename a hacker's tool Hucline if you select 'Disinfect' action. You can either select 'Rename' action for this file or remove that file manually. That file is not dangerous without worm's scripts anyway.

If you do not want to take down a network, make sure that all computers have FSAV's on-access scanner enabled and that they have the latest updates. In this case FSAV will rename infected files coming from a network before they can be activated - a computer would be protected from infection. Keep in mind that all unprotected computers might become re-infected if you keep a network alive with at least one infected system.

Disinfection Instructions for Muma.B worm

It should suffice with following the instructions given above for the previous variant.

Additionally, after those steps have been completed, the user can manually remove any files that appear in the lists given in this description as belonging to the worm, as some non malicious files bundled with the worm are not removed by the Anti-Virus.

Disinfection Instructions for Muma.C worm

To manually disinfect a computer from Muma.C worm please follow these instructions:

1. Disable network sharing.

2. Kill processes of MUMU.EXE, BBOY.EXE and LAST.EXE files.

3. Delete the above mentioned files from a system together with BBOY.DLL file. You can also delete PSEXEC.EXE and KAVFIND.EXE files.

4. Change passwords and logins on an infected computer, do not use 'weak' passwords that are simple to guess.

5. Re-enable network only after all infected computers are cleaned.

Disinfection Instructions for Muma.D worm

Disinfection of this variant follow a similar pattern as for previous ones:

1. Disable network sharing.

2. Kill processes of MUMU.EXE, BBOY.EXE and LAST.EXE files.

3. Remove any running executables detected by FASV.

4. Change passwords and logins on an infected computer, do not use 'weak' passwords that are simple to guess.

5. Re-enable network only after all infected computers are cleaned.

Technical Details


Muma is a network worm that consists of a few batch scripts, a few utilities and a hacker's tool called Hucline. It was first reported in the wild on June 3, 2003.

The worm uses Hucline hacker's tool to scan for vulnerable computers and then it tries to connect to IPC$ share and to copy its files to Windows System folder of remote computers. After that the worm starts its main file on a remote computer and that computer becomes infected and spreads the worm further on.

The worm's package we received contained the following files:


The 10.BAT file is one of the main worm's components. It starts HFIND.EXE hacker's utility to search for vulnerable computers. Then it starts the IPC.BAT file that in its turn calls the spreading script HACK.BAT for all found computers in a loop.

The HFIND.EXE hacker's utility will scan for vulnerable computers and will try to use pre-defined passwords to get access admin share. The passwords are taken from IPCPASS.TXT file.

The IPC.BAT file calls the spreading script HACK.BAT in a loop.

The HACK.BAT file connects to the IPC$ share of a vulnerable computer and copies all the above files to \admin$\System32\ folder which is a Windows System folder of a remote computer. After that the NTSERVICE.BAT file is executed on a remote computer with the help of PSEXEC.EXE utility.

The NTSERVICE.BAT file stops the service called 'Application' and then restarts it with the help of NTSERVICE.EXE file. The new Application service settings are taken from NTSERVICE.INI file and for current worm variant that service is SS.BAT file.

The SS.BAT file adds a user called 'admin' with password 'KKKKKKK' to administrator's group and then uses PSEXEC.EXE utility to activate the START.BAT file for the newly created account. That file is the main worm's component.

The START.BAT file is the main worm's component that performs initial setups for the worm and then calls 10.BAT file to spread itself to other vulnerable computers.

The PCMSG.DLL file is a PCGhost spying utility that allows to monitor activities on an infected computer. It creates a log file where it stores titles of all opened application windows, visited URLs, keyboard and mouse events.

The PSEXEC.EXE file is a utility to start or kill services on remote computers. It is used 2 times by the worm to start needed services.

Other files used are used by the worm at different stages of its life-cycle.


A difference between this and the previous variant is that, when spreading through the network to new computers, the previous copies 21 files to the remote machine in System32 inside the main Windows folder. The files were:

 10.BAT  hack.bat  HFind.exe  ipc.bat  IPCPass.txt  MUMA.BAT  NWIZ_.EXE  NWIZe.IN_  pcMsg.dll  psexec.exe  RANDOM.BAT  rep.EXE  replace.bat  START.BAT  tihuan.txt  space.txt  NEAR.BAT  ntservice.exe  NTService.ini  ntservice.bat  SS.bat    

This new variant copies only two files, one of them is a zip archive containing all the files belonging to the worm, specifically:


When trying to access computer on the network it attempts to gain access trying default accounts with passwords form the following list:

 %null%  %username%  %username%12  %username%123  %username%1234  123  1234  12345  123456  1234567  12345678  654321  54321  1  111  11111  111111  11111111  000000  00000000  888888  88888888  5201314  pass  passwd  password  sql  database  admin  root  secret  oracle  sybase  test  server  computer  Internet  super  user  manager  security  public  private  default  1234qwer  123qwe  abcd  abc123  123abc  abc  123asd  asdf  asdfgh  !@#$  !@#$%  !@#$%^  !@#$%^&  !@#$%^&*  !@#$%^&*(  !@#$%^&*()  KKKKKKK    


Muma.C worm was found in the end of June 2003. The worm speads in local networks. The worm infects only computers with Windows NT, 2000 and XP.

The main worm's file name is MUMU.EXE. The worm itself is an installation package that being run, copies itself as MUMU.EXE to Windows System folder, drops and activates other files. This worm variant drops the following files:

 last.exe	- data stealing trojan  bboy.dll	- keylogger DLL that is dropped by the above mentioned trojan  psexec.exe	- a utility to start or kill services on remote computers  kavfind.exe	- a hacker's utility to scan for vulnerable computers (Hucline)  ipspass.txt	- a list of pre-defined passwords    

Also the worm drops BBOY.EXE file to Windows folder. This file is identical to LAST.EXE file.

The LAST.EXE data stealing trojan installs a keylogger BBOY.DLL that saves user's passwords to QJINFO.INI file. Then this file is sent to a hacker by e-mail.

The worm scans for vulnerable computers with the help of Hucline utility and if such a computer is found, the worm copies itself as MUMU.EXE file to remote Windows System folder (usually \WinNT\System32\ or \Windows\System32\) and activates that file on a remote computer. A remote computer becomes infected and the worm continues to spread from it.


The operations performed by this variant differ little from the ones performed by the other known variants.

The worm will scan a local network for hosts to infect. It will copy its files to the hosts found to be vulnerable. The files:

 11.BAT  13.BAT  ipc2.BAT  NWZI.EXE  10.BAT  hfind.exe    

will be copied into the folder:


and it will then copy the local folder "files\" to the remote host as:


Where %systemdir% stands for the Windows' System32 folder.

It will then attempt to remotely execute its installation script "osinstall.bat" inside the the txp folder.

This script will call other small script which will copy "folderdel.bat" into


Scripts contained in this variant are:

 10.bat  11.bat  13.bat  folderdel.bat  hack.bat  hacked.bat  ipc2.bat  mhack.bat  osinstall.bat    

Apart from the binary tools detected by FSAV.


F-Secure Anti-Virus detects the HFIND.EXE hacker's tool as 'HackTool.Win32.Hucline' and 4 batch scripts that are the main worm components are detected as 'Worm.Win32.Muma'.

F-Secure Anti-Virus detects Muma worm with the updates published on June 4th, 2003:

Database: 2003-06-04_01

F-Secure detects Muma.B and C worm variants with the latest updates.

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info