Content

Muster.e

Type
Trojan
SubType
Discovery Date
01/14/2010
Length
Varies
Minimum DAT
5861 (01/14/2010)
Updated DAT
5861 (01/14/2010)
Minimum Engine
5.2.00
Description Added
01/14/2010
Description Modified
01/31/2010 8:50 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

pon execution, the trojan drops the followig file.

  • %System%\drivers\vstor.sys

[Where %System% is the default System folder for example C:\Windows\System32, and
%Windows% is the default Windows directory for example C:\WINDOWS ]

The following registry keys are added:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vstor
    "DisplayName" = Vstor Virtual Storage Driver
    "ErrorControl" = 0
    "ImagePath" = \??\%System%\drivers\vstor.sys
    "Start" = 2
    "Type"  = 1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vstor
    "DisplayName" = Vstor Virtual Storage Driver
    "ErrorControl" = 0
    "ImagePath" = \??\%System%\drivers\vstor.sys
    "Start" = 2
    "Type"  = 1

The trojan appends a backdoor executable file to the following file.

  • %Windows%\ime\SHARED\imepaden.hlp

The vstor.sys is reponsible for extracting the appended executable file from imepaden.hlp and
copies to the following path upon each reboot.

  • %System%\UpgradeUI.exe

The sys file also adds the following registry key.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    AutoPatch = %System%\UpgradeUI.exe

The trojan injects a thread into explorer.exe connects the "www.google.com" to check if there is a valid network connection. Once the trojan established the connection, it attemps to access the following site and waits commands.

  • 202.215.{removed}

The backdoor has the following functions:

  • gather system  information
     disk information
     hostname/ip
  • list files/directories
  • change directories
  • upload/download files
  • provide remote shell (cmd.exe)
  • list/kill processes

Symptoms

  • Existence of the aforementioned files and registry entries
  • Existence of communications to the aforementioned site

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Muster.e trojan provides remote access capabilities to an attacker by opening a backdoor on the compromised machine.

Characteristics

Characteristics -

pon execution, the trojan drops the followig file.

  • %System%\drivers\vstor.sys

[Where %System% is the default System folder for example C:\Windows\System32, and
%Windows% is the default Windows directory for example C:\WINDOWS ]

The following registry keys are added:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vstor
    "DisplayName" = Vstor Virtual Storage Driver
    "ErrorControl" = 0
    "ImagePath" = \??\%System%\drivers\vstor.sys
    "Start" = 2
    "Type"  = 1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vstor
    "DisplayName" = Vstor Virtual Storage Driver
    "ErrorControl" = 0
    "ImagePath" = \??\%System%\drivers\vstor.sys
    "Start" = 2
    "Type"  = 1

The trojan appends a backdoor executable file to the following file.

  • %Windows%\ime\SHARED\imepaden.hlp

The vstor.sys is reponsible for extracting the appended executable file from imepaden.hlp and
copies to the following path upon each reboot.

  • %System%\UpgradeUI.exe

The sys file also adds the following registry key.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    AutoPatch = %System%\UpgradeUI.exe

The trojan injects a thread into explorer.exe connects the "www.google.com" to check if there is a valid network connection. Once the trojan established the connection, it attemps to access the following site and waits commands.

  • 202.215.{removed}

The backdoor has the following functions:

  • gather system  information
     disk information
     hostname/ip
  • list files/directories
  • change directories
  • upload/download files
  • provide remote shell (cmd.exe)
  • list/kill processes

Symptoms

Symptoms -

  • Existence of the aforementioned files and registry entries
  • Existence of communications to the aforementioned site

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A