Worm:Win32/Muhu.A is a worm that spreads via network and removable drives. It may also terminate certain applications, display pop-up messages, and play an MP3 audio file.
This worm has been distributed as a self-extracting RAR archive (RARsfx) that contains a copy of
AutoHotKey, and AutoHotKey scripts. AutoHotKey is promoted as a free, open-source utility for Windows that can "
automate almost anything by sending keystrokes and mouse clicks".
Installation
This worm may be distributed with the file name "MicrosoftPowerPoint.exe", a self-extracting RAR archive containing the following files:
2.mp3 - an MP3 audio file that makes a "Muhahaha" sound when played
drivelist.txt - contains list of drives to be infected, from C to Z
icon.ico - blank icon
pathlist.txt - contains a list of locations (file paths) for the worm to drop files to
svchost.exe - a copy of
AutoHotKey, used to execute dropped scripts
Install.txt - detected as Worm:Win32/Muha.A, executed as a parameter to the AutoHotkey program (svchost.exe)
When executed, Win32/Muhu.A extracts the files listed above to the %TEMP%\microsoftpowerpoint folder (created by the worm). The worm then executes the dropped copy of "svchost.exe" with Install.exe as a parameter.
The registry is modified to run a copy of the worm at each Windows start as in this example.
Adds value: "winlogon"
With data: "c:\heap41a\svchost.exe c:\heap41a\std.txt"
HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Spreads Via..
Network and Removable Drives
The script "install.txt" is invoked by svchost.exe, and contains instructions to copy "MicrosoftPowerPoint.exe" to drives specified in "drivelist.txt". Next, it drops the following files in directories specified in "pathlist.txt", as in this example:
c:\heap41a\svchost.exe
c:\heap41a\drivelist.txt
c:\heap41a\2.mp3
c:\heap41a\icon.ico
c:\heap41a\offspring\autorun.inf
c:\heap41a\reproduce.txt
c:\heap41a\std.txt
c:\heap41a\script1.txt
The script "driveslist.txt" contains the following paths in addition to "C:\heap41a\":
D:\RECYCLE
E:\RECYCLE
F:\RECYCLE
The dropped file "autorun.inf" contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer. It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
The dropped copy of AutoHotKey is executed along with the dropped script "std.txt" as in this example:
C:\heap41a\svchost.exe C:\heap41a\std.txt
The worm adds a value to the registry as an infection marker:
Adds value: "status"
With data: "present"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Payload
Closes Web Browsers/Displays Messages
The worm may close the Web browser Mozilla Firefox if it is launched, or the worm may close Web browsers containing the following strings in the browser window:
The worm then attempts to play a dropped MP3 audio file "2.mp3", resulting in a sound resembling a maniacal laugh "muhahaha". Win32/Muhu then displays one of the following pop-up messages depending on which application window was closed
Additional Information
The worm modifies a registry value that keeps "hidden" files or folders hidden from a user's view.
Modifies value: "checkedvalue"
With data: "0"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL
Analysis by Francis Allan Tan Seng
