W32.Munia


Aliases: W32/Munia
Variants: W32.Munia!inf, W32/Munia!inf

Classification: Malware
Category: Computer Virus

Status: Inactive
Spreading: Slow
Geographical info: Asia
Removal: Easy
Platform: W32
Discovered: 05 Aug 2006
Damage: Medium

Characteristics: This virus is capable of infecting .exe files when the target file is accessed. It is likewise capable of stealing passwords and usernames in the infected machine. It steals password details via employing a keylogger utility that will automatically log the keystrokes of the user. The W32.Munia virus also has backdoor capabilities. It can open up a backdoor in the compromised machine and then use this backdoor for communicating with its remote master.

More details about W32.Munia

Once the W32.Munia virus is executed in the compromised system, it will create files with the file extensions .dll, .exe and .bd. It will also add a registry entry to a registry subkey that will enable it to run once Windows is started. This virus will also delete a critical registry subkey to mask its presence in the machine. It the goes on to further modify the registry by adding another registry entry to another registry subkey so that it can hide the folders and files it has installed in the infected system. This security risk will likewise try to hijack the service ‘Routing and Remote Access’ by setting another value to a particular registry subkey. It will then proceed to drop and inject the munia.dll file into the currently running processes.

After all the modifications done to the registry, the W32.Munia malware will then start its keylogging activity to be able to obtain usernames and passwords for the Legend of Mir game. This particular game is targeted by malicious users since credits for the game are somewhat hard to earn so these can be auctioned off to the highest bidder or sold for real world money. The virus then collates its harvested game account information to a remote server by using the file explorer.exe. It will then try to infect executable files it locates in the compromised machine.