By JubileeX in Worms

PE_MUSTAN.A is an infection that tends to take advantage of computer users that use weak passwords to protect their online accounts, networks and computers. PE_MUSTAN.A is designed to take advantage of weak passwords in a variety of online accounts, applications and other situations requiring the use of login credentials. PE_MUSTAN.A is linked with a worm that was observed in 2011, known as WORM_MORTO.SM. The PE_MUSTAN.A infection uses brute force tactics to try to overcome a network's protection and can quickly breach a network that is poorly protected. The PE_MUSTAN.A worm is a file infector, also known as a virus. PE_MUSTAN.A is programmed to compromise executable files with the EXE extension and will quickly spread throughout a computer. PE_MUSTAN.A avoids executable files that may cause a noticeable system crash, typically system files and applications by Microsoft such as Windows Explorer, Microsoft Outlook, Microsoft Movie Maker and Windows Live Messenger.

How the PE_MUSTAN.A Worm Spreads

Apart from infecting files in a way similar to a virus, PE_MUSTAN.A also uses worm-like tactics to spread through a network. Like the worm that was mentioned previously, the PE_MUSTAN.A infection uses Remote Desktop Protocol to gain access to other computers located on the infected machine's network. PE_MUSTAN.A uses a list of name and passwords that are typically considered weak and easy to crack to gain access to computers on the network. If these computers are using weak passwords, the PE_MUSTAN.A malware threat can then gain access to those computers and infect executable files on those computers. Apart from spreading through a network, the PE_MUSTAN.A worm also makes copies of itself on all drives detected on the infected computer, shared network folders and shared drives.

Some Additional Information About the PE_MUSTAN.A Worm

The PE_MUSTAN.A worm receives its commands from its Command and Control server using the DNS text record by receiving an encoded string that points PE_MUSTAN.A to the URLs where PE_MUSTAN.A can download additional malware. This allows the PE_MUSTAN.A worm to create a backdoor on the infected computer or to relay important information on the infected computer to a remote server. Most PE_MUSTAN.A attacks are concentrated in the Asia Pacific region. To prevent becoming infected with the PE_MUSTAN.A worm, ESG security researchers strongly advise that computer users use strong passwords with a variety of characters and considerable length.

File System Details

PE_MUSTAN.A may create the following file(s):
# File Name Detections
1. %System%\wmicuclt.exe

Registry Details

PE_MUSTAN.A may create the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\Select p = "{login passwords}
HKEY_LOCAL_MACHINE\SYSTEM\Select pu = "{login usernames} - {login passwords}"
HKEY_LOCAL_MACHINE\CurrentControlSet\Services {Security Service} = "4"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wmicucltsvc ImagePath = "%System%\wmicuclt.exe"
HKEY_LOCAL_MACHINE\SYSTEM\Select ext = "{plugin code obtained from C&C}"
HKEY_LOCAL_MACHINE\SYSTEM\Select plg = "{plugin code obtained from C&C}"
HKEY_LOCAL_MACHINE\SYSTEM\Select {ip address of targeted victims} = {date and time of execution}
HKEY_LOCAL_MACHINE\SYSTEM\Select v = "{virus code}"
HKEY_LOCAL_MACHINE\SYSTEM\Select rmt = "{date and time of execution}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run {AntiVirus Application} = "{Path of AntiVirus Application}"


Very quickly this web site will be famous amid all blogging users, due to it's pleasant articles.

Thanks for sharing such a nice opinion, article is good, thats why i have read it entirely.


Most Viewed