W32.Mumawow.A

Once executed, the virus copies itself to the following file:
%System%\logo_1.exe

It then creates the following file:
%Temp%\[RANDOM 5 DIGITS].dll

The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"logg" = "logo_1.exe"

It may infect all executable files found in the following locations with a small amount of code to download another file from the internet:
%ProgramFiles% folder on drives C,D,E and F
%System%\dllcache

The Trojan downloads and executes the following file:
[http://]ds.881515.net/muma/[REMOVED] - detected as an Infostealer.Wowcraft variant

The infected executables files then download and execute the following file:
[http://]usd.881515.net/down/[REMOVED] - detected as W32.Mumawow.A

It then contacts the following remote location:
[http://]us.881515.net/us/getwe[REMOVED]

The Trojan executes the following system commands to disable security-related software:

• sc config McTaskManager start= disabled
• sc config McShield start= disabled
• sc config McAfeeFramework start= disabled
• net stop "McTaskManager"
• net stop "McShield"
• net stop "McAfeeFramework"
• sc config avp start= disabled
• net stop avp
• sc config "Kingsoft AntiVirus Service" start= disabled
• net stop "Kingsoft AntiVirus Service"

The Trojan may also stop the following processes:

• avp.exe
• EGHOST.EXE
• Iparmor.exe
• KAV32.exe
• KAVPFW.EXE
• KAVsvc.exe
• KAVSvcUI.exe
• KRegEx.exe
• KVFW.EXE
• KVMonXP.kxp
• KVSrvXP.exe
• KVwsc.exe
• KvXP.kxp
• KWatchUI.EXE
• MAILMON.EXE
• Navapsvc.exe
• navw32.EXE
• NMain.exe
• PFW.EXE
• RAVmon.exe
• RavMon.exe
• RavMonClass
• RAVmonD.exe
• Ravtimer.exe
• RAVtimer.exe
• Rising.exe
• THGUARD.EXE
• TrojanHunter.exe
• TrojDie.kxp
• UIHost.exe
• yassistse.exe

Summary