McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• BAT.Boohoo.Worm (Symantec)

Characteristics

This is a variant of BAT/Mumu.worm and detected as BAT/Mumu.worm with the 4283+ DATs. The worm functions in a similar fashion, copying itself to remote systems via the default admin share admin$. Current user credentials and/or weak administrator passwords provide the necessary permissions for the worm to spread. A combination of batch files, configurations files, and applications carry out the task of scanning ranges of IP addresses, connecting to accessible systems, copying files to those systems and executing files.

This variant also carries the Netcat application with it, and configures it to create a remote shell on TCP Pot 6969.

The following files are associated with this worm, and will be found in the %WinDir%\system32\ directory of an infected system:

Worm files
Mumu worm	hacker.bat
Mumu worm	ip.bat
Mumu worm	psexec.bat
Mumu worm	scan.bat
Mumu worm	starter.bat
Mumu worm	Xecuter.bat
Applications
Fire Daemon application	Firedaemon.exe
Application to clear Eventlogs	clearlogs.exe
NTScan application	ntscan.exe
HideWindow application	HideRun.exe
RemoteProcessLaunch application	psexec.exe
String Replace application	rep.EXE
Random number generator app	random.exe
Iroffer application	svhost.exe
Netcat application	nc.exe
ServU Daemon application	tmp1\drvrquery32.exe
CygwinR POSIX Emulation DLL	CYGWIN1.dll
Configuration files
Used by NTScan app	NT-pass.dic
Used by NTScan app	NT-user.dic
System info header text	sys.txt
System info header text	wm.txt
Registry script	regkeyadd.REG
Iroffer config	protmp.txt
Iroffer config	proreset.txt
Iroffer config	tmp1\pro.gif
Valid DLL	tmp1\CommonDlg32.dll
Replace app instructions	rep.bat
Replace app instructions	replace.txt

Symptoms

Note: There are minor variants of this worm, which may result in varying symptoms of infection.

Infected systems may contain the following registry keys/values:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "drvrquery32.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "HideRun.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "Xecuter.bat"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msnet
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drvmanager
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\startupdll

- Infected systems listening on TCP port 6969 (netcat) and TCP Port 21 (FTP server)
- Iroffer application, XDCC IRC Bot, connecting on TCP Port 6667
- The absence of shares C$ - Z$
- The worm creates the user admin, sets a password for the user, and adds this user to the administrators group

Method of Infection

This worm spreads via accessible shares (ADMIN$). The worm targets random IP addresses on the local class A subnet. It uses the NTScan application to retrieve accessible IP addresses and share passwords (via a dictionary style attack). This information is used to by the worm to be copied to and executed on the target victim system.

Removal

All Users:
Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.

• net share c$ /delete
• net share d$ /delete
• net share e$ /delete
• net share ipc$ /delete
• net share admin$ /delete

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• BAT.Boohoo.Worm (Symantec)

Characteristics

Characteristics -

This is a variant of BAT/Mumu.worm and detected as BAT/Mumu.worm with the 4283+ DATs. The worm functions in a similar fashion, copying itself to remote systems via the default admin share admin$. Current user credentials and/or weak administrator passwords provide the necessary permissions for the worm to spread. A combination of batch files, configurations files, and applications carry out the task of scanning ranges of IP addresses, connecting to accessible systems, copying files to those systems and executing files.

This variant also carries the Netcat application with it, and configures it to create a remote shell on TCP Pot 6969.

The following files are associated with this worm, and will be found in the %WinDir%\system32\ directory of an infected system:

Worm files
Mumu worm	hacker.bat
Mumu worm	ip.bat
Mumu worm	psexec.bat
Mumu worm	scan.bat
Mumu worm	starter.bat
Mumu worm	Xecuter.bat
Applications
Fire Daemon application	Firedaemon.exe
Application to clear Eventlogs	clearlogs.exe
NTScan application	ntscan.exe
HideWindow application	HideRun.exe
RemoteProcessLaunch application	psexec.exe
String Replace application	rep.EXE
Random number generator app	random.exe
Iroffer application	svhost.exe
Netcat application	nc.exe
ServU Daemon application	tmp1\drvrquery32.exe
CygwinR POSIX Emulation DLL	CYGWIN1.dll
Configuration files
Used by NTScan app	NT-pass.dic
Used by NTScan app	NT-user.dic
System info header text	sys.txt
System info header text	wm.txt
Registry script	regkeyadd.REG
Iroffer config	protmp.txt
Iroffer config	proreset.txt
Iroffer config	tmp1\pro.gif
Valid DLL	tmp1\CommonDlg32.dll
Replace app instructions	rep.bat
Replace app instructions	replace.txt

Symptoms

Symptoms -

Note: There are minor variants of this worm, which may result in varying symptoms of infection.

Infected systems may contain the following registry keys/values:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "drvrquery32.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "HideRun.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "Xecuter.bat"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msnet
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drvmanager
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\startupdll

- Infected systems listening on TCP port 6969 (netcat) and TCP Port 21 (FTP server)
- Iroffer application, XDCC IRC Bot, connecting on TCP Port 6667
- The absence of shares C$ - Z$
- The worm creates the user admin, sets a password for the user, and adds this user to the administrators group

Method of Infection

Method of Infection -

This worm spreads via accessible shares (ADMIN$). The worm targets random IP addresses on the local class A subnet. It uses the NTScan application to retrieve accessible IP addresses and share passwords (via a dictionary style attack). This information is used to by the worm to be copied to and executed on the target victim system.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.

• net share c$ /delete
• net share d$ /delete
• net share e$ /delete
• net share ipc$ /delete
• net share admin$ /delete

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A