[INFO] AnalystName=Swarna Latha V.G. AnalystEMailID=swarnalatha.gopinathan@comodo.com Team=India Date=12-JAN-2010 Type=TrojWare Platform=Win32 SubType=TrojanDownloader Family=Mufanom Variant= [OVERVIEW] Mufanom is a trojan program which downloads various malicious programs and installs into the victim machine. [TECHNICAL_DESCRIPTION] Registry Keys Added: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random name] Registry Values Added: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random name]\[random name]: 43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F 47 11 41 13 48 15 61 17 75 19 69 1B 69 1D 70 1F 49 21 0C 23 40 25 4A 27 44 29 2A 2B HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random name]\[random name]: "89" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random name]\[random name]: 37 01 34 03 30 05 06 07 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random name]\[random name]: 45 01 34 03 32 05 33 07 38 09 4C 0B 4D 0D 3F 0F 56 11 51 13 52 15 55 17 2C 19 5E 1B 28 1D 2D 1F 19 21 10 23 17 25 1E 27 1B 29 13 2B 18 2D 6F 2F 09 31 70 33 77 35 03 37 79 39 7B 3B 05 3D 0F 3F 40 41 HKU\%SID%\Software\Microsoft\Windows\ShellNoRoam\MUICache\%USERPROFILE%\Desktop\32f5f33754a94d9fceb1e5542ef5c6a867cac516.exe: "[random name]" Registry Values modified: HKLM\SYSTEM\ControlSet001\Control\Lsa\Notification Packages: '[random name]' HKLM\SYSTEM\ControlSet001\Control\Lsa\Notification Packages: '[random name][random name].dll' HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages: '[random name]' HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages: '[random name][random name].dll' Files Added: %windir%\[random name].dll Once executed creates mutex with random name and a dll is registered which is dropped in the Windows directory. The dropped dll is also found to be malware which also has version info about some legitimate application Creates random mutexes like 21924d52,219d5812 Other variants have found to connect some malicious sites and download malware files. [SYMPTOMS] Displaying Pop-up advertisements. connecting to random number of malicious sites. downloads some other malware and copies to %windir% folder. [DISINFECTION] Manual Removal Instructions: Check for the dll file in %windir% with any random name and delete it and if the dll is registered unregister it. To unregister: open internet explorer browser tools->Manage Add-ons click the registered dll and disable it. Restart the system.