According to the observation of security firm McAfee Labs has discovered malware that can copy itself in a help file in Windows to make the victim's computer infections. Trojan is called Muster.e by McAfee anti-virus providers, where the Trojan can infect a Windows file named imepaden.hlp who became one of the help file for Microsoft IME. Imepaden.hlp file served as the main component malware storage in encrypted form. However, the help file is already infected can still be viewed with a browser WinHelp, similar to the original help files, and users is quite difficult to find an infection which has occurred from viewing the file. When the malware that is installed be removed, then the secret cargo in it, or the so-called sys file will be decrypted into an executable file named upgraderUI.exe the registry HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVe rsion \ Run AutoPatch, and will run the installation file automatically runs a Windows service.Muster is a family of backdoor that have used the help file to hide himself. File help or .hlp is a data file that is designed to be viewed with Microsoft's browser to provide WinHelp online help for applications used by users. File .hlp is decrypted with key Microsoft CryptAPI with a difficult and executed by the loader files. "All the action happens in a hidden. Windows help file is smart enough to fool the user. "This Trojan is usually easier to work on the client computer. "Said Craig Schmugar, threat analysts McAfee Labs.
One scenario of this malware technique is a victim not aware of strange files and registry UpgraderUI.exe it, and then the user will delete the files and registry. They'll think have removed a backdoor to success. In fact, when the files and registry files are the same back again and again at every reboot the computer, the user still can not find any other suspicious files. Users will never know that the sys files have been infected, following also imepaden.hlp files.
Meanwhile, from the McAfee, has been to update the McAfee VirusScan DATs 5861 or newer, which can detect and clean infected files and help files of this backdoor.
http://www.beritanet.com/Technology/Security/Muster-Windows.html
Tidak ada komentar:
Posting Komentar