Follow:

 

Worm:Win32/Muhu.A


Worm:Win32/Muhu.A is a worm that spreads via network and removable drives. It may also terminate certain applications, display pop-up messages, and play an MP3 audio file.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Worm:Win32/Muhu.A is a worm that spreads via network and removable drives. It may also terminate certain applications, display pop-up messages, and play an MP3 audio file.
 
This worm has been distributed as a self-extracting RAR archive (RARsfx) that contains a copy of AutoHotKey, and AutoHotKey scripts. AutoHotKey is promoted as a free, open-source utility for Windows that can "automate almost anything by sending keystrokes and mouse clicks".
Installation
This worm may be distributed with the file name "MicrosoftPowerPoint.exe", a self-extracting RAR archive containing the following files:
  • 2.mp3 - an MP3 audio file that makes a "Muhahaha" sound when played 
  • drivelist.txt - contains list of drives to be infected, from C to Z
  • icon.ico - blank icon
  • pathlist.txt - contains a list of locations (file paths) for the worm to drop files to
  • svchost.exe - a copy of AutoHotKey, used to execute dropped scripts
  • Install.txt - detected as Worm:Win32/Muha.A, executed as a parameter to the AutoHotkey program (svchost.exe)
When executed, Win32/Muhu.A extracts the files listed above to the %TEMP%\microsoftpowerpoint folder (created by the worm). The worm then executes the dropped copy of "svchost.exe" with Install.exe as a parameter.
 
The registry is modified to run a copy of the worm at each Windows start as in this example.
Adds value: "winlogon"
With data: "c:\heap41a\svchost.exe c:\heap41a\std.txt"
HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Spreads Via..
Network and Removable Drives
The script "install.txt" is invoked by svchost.exe, and contains instructions to copy "MicrosoftPowerPoint.exe" to drives specified in "drivelist.txt". Next, it drops the following files in directories specified in "pathlist.txt", as in this example:
c:\heap41a\svchost.exe
c:\heap41a\drivelist.txt
c:\heap41a\2.mp3
c:\heap41a\icon.ico
c:\heap41a\offspring\autorun.inf
c:\heap41a\reproduce.txt
c:\heap41a\std.txt
c:\heap41a\script1.txt
 
The script "driveslist.txt" contains the following paths in addition to "C:\heap41a\":
D:\RECYCLE
E:\RECYCLE
F:\RECYCLE
 
The dropped file "autorun.inf" contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer. It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
 
The dropped copy of AutoHotKey is executed along with the dropped script "std.txt" as in this example:
C:\heap41a\svchost.exe C:\heap41a\std.txt
 
The worm adds a value to the registry as an infection marker:
Adds value: "status"
With data: "present"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Payload
Closes Web Browsers/Displays Messages
The worm may close the Web browser Mozilla Firefox if it is launched, or the worm may close Web browsers containing the following strings in the browser window:
  • Orkut
  • youtube
The worm then attempts to play a dropped MP3 audio file "2.mp3", resulting in a sound resembling a maniacal laugh "muhahaha". Win32/Muhu then displays one of the following pop-up messages depending on which application window was closed
 
 
 
 
Additional Information
The worm modifies a registry value that keeps "hidden" files or folders hidden from a user's view.
Modifies value: "checkedvalue"
With data: "0"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL
 
Analysis by Francis Allan Tan Seng

Symptoms

System Changes
The following system changes may indicate the presence of Worm:Win32/Muhu.A:
  • Presence of the following files:
    %TEMP%\microsoftpowerpoint\2.mp3
    %TEMP%\microsoftpowerpoint\drivelist.txt
    %TEMP%\microsoftpowerpoint\icon.ico
    %TEMP%\microsoftpowerpoint\pathlist.txt
    %TEMP%\microsoftpowerpoint\svchost.exe
    %TEMP%\microsoftpowerpoint\Install.txt
  • Display of the following messages (or similar):


  • The sound of evil laughter.

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.117.2303.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Feb 29, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan.Starter.AEO (BitDefender)
  • Trojan.Autorun-186 (Clam AV)
  • Win32/AHKHeap.A (ESET)
  • W32/AHKHeap.inf (McAfee)
  • Text/AutoRun.G (Norman)
  • W32/AHKHeap-A (Sophos)
  • INF/AHKHeap.A (other)
  • Worm.Autorun.BK (VirusBuster)