Obstinate Trojan Hides inside Windows .hlp File

Investigators from security firm McAfee have monitored a computer Trojan named Muster.e, and found that it secretly dumps itself inside a help file of Windows making sure that victims' system stay infected.

Characterized as data files, Microsoft's help files, also designated as ".hlp" files, are viewed using Microsoft WinHelp Web-browser for supplying online assistance to the users of applications. Apparently, the older versions of 'Muster' install chief backdoor Trojans' encrypted replicas in files suffixed with the extension '.hlp.' These files in course of time are decrypted using Microsoft CryptAPI via hard-coded keys that loaders execute.

However, the latest version, 'Muster.e,' utilizes help files differently. After installation, it contaminates 'imepaden.hlp,' a help file already present for Microsoft 'Input Method Editors' (IME). Most certainly, this contaminated hlp file can be seen using the WinHelp browser, in the similar manner as the actual hlp file is viewed. Consequently, end-users don't recognize its infection through normal viewing.

Moreover, Muster.e installs certain system file as well which start working when the computer is restarted. This sys file pulls out the attached .exe file out of the hlp file as well as replicates it on the separate 'upgraderUI.exe.' The executable file apparently gives users an impression that it's something associated with a tool for system update. However, all these don't seem enough for the malware creators, for they've also specially designed the system file to dupe end-users.

According to Craig Schmugar, threat researcher at McAfee Labs, the trick with the hlp file was quite new and it hid from plain view. He added that it was not usually seen at the client's end, as per the news published by The Register published on February 3, 2010.

Moreover, according to the security investigators, the tactic makes sure that Muster.e stays on the contaminated computer despite removing a majority of the malware's related files. Naturally, it has confused computer operators, who can't determine the reason why their systems repeatedly get infected.

Notably, the Trojan doesn't replicate itself. It's proliferated through manual ways using vectors like peer-to-peer file sharing networks, Internet Relay Chat sessions, e-mail, news-group postings, and so on.

Related article: Obfuscation Codes Find Way into Rich-Content Files

» SPAMfighter News - 2/11/2010