1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP W32 Mumawow Activity

HTTP W32 Mumawow Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Mumawow communicating and requesting information from its controlling server.

Additional Information

Once executed, the virus copies itself to the following file:
%System%\logo_1.exe

It then creates the following file:
%Temp%\[RANDOM 5 DIGITS].dll

The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"logg" = "logo_1.exe"

It may infect all executable files found in the following locations with a small amount of code to download another file from the internet:
%ProgramFiles% folder on drives C,D,E and F
%System%\dllcache

The Trojan downloads and executes the following file:
[http://]ds.881515.net/muma/[REMOVED] - detected as an Infostealer.Wowcraft variant

The infected executables files then download and execute the following file:
[http://]usd.881515.net/down/[REMOVED] - detected as W32.Mumawow.A

It then contacts the following remote location:
[http://]us.881515.net/us/getwe[REMOVED]

The Trojan executes the following system commands to disable security-related software:

* sc config McTaskManager start= disabled
* sc config McShield start= disabled
* sc config McAfeeFramework start= disabled
* net stop "McTaskManager"
* net stop "McShield"
* net stop "McAfeeFramework"
* sc config avp start= disabled
* net stop avp
* sc config "Kingsoft AntiVirus Service" start= disabled
* net stop "Kingsoft AntiVirus Service"


The Trojan may also stop the following processes:

* avp.exe
* EGHOST.EXE
* Iparmor.exe
* KAV32.exe
* KAVPFW.EXE
* KAVsvc.exe
* KAVSvcUI.exe
* KRegEx.exe
* KVFW.EXE
* KVMonXP.kxp
* KVSrvXP.exe
* KVwsc.exe
* KvXP.kxp
* KWatchUI.EXE
* MAILMON.EXE
* Navapsvc.exe
* navw32.EXE
* NMain.exe
* PFW.EXE
* RAVmon.exe
* RavMon.exe
* RavMonClass
* RAVmonD.exe
* Ravtimer.exe
* RAVtimer.exe
* Rising.exe
* THGUARD.EXE
* TrojanHunter.exe
* TrojDie.kxp
* UIHost.exe
* yassistse.exe

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube