This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detects W32.Mumawow communicating and requesting information from its controlling server.
Once executed, the virus copies itself to the following file:
It then creates the following file:
%Temp%\[RANDOM 5 DIGITS].dll
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"logg" = "logo_1.exe"
It may infect all executable files found in the following locations with a small amount of code to download another file from the internet:
%ProgramFiles% folder on drives C,D,E and F
The Trojan downloads and executes the following file:
[http://]ds.881515.net/muma/[REMOVED] - detected as an Infostealer.Wowcraft variant
The infected executables files then download and execute the following file:
[http://]usd.881515.net/down/[REMOVED] - detected as W32.Mumawow.A
It then contacts the following remote location:
The Trojan executes the following system commands to disable security-related software:
* sc config McTaskManager start= disabled
* sc config McShield start= disabled
* sc config McAfeeFramework start= disabled
* net stop "McTaskManager"
* net stop "McShield"
* net stop "McAfeeFramework"
* sc config avp start= disabled
* net stop avp
* sc config "Kingsoft AntiVirus Service" start= disabled
* net stop "Kingsoft AntiVirus Service"
The Trojan may also stop the following processes:
- Windows 98
- Windows 95
- Windows XP
- Windows Me
- Windows NT
- Windows Server 2003
- Windows 2000
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.