Aliases: W32/Mubla.gen
Variants: W32.Mubla

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 25 Dec 2007
Damage: Low

Characteristics: This security threat is a generic detection of the Mubla worm family. The W32.Mubla.Gen worm has a single spreading method. This worm spreads by using Instant Messaging applications through sending links to infected URLs to all contacts on the local list of contacts. The difference between IM worms such as this and email worms which also send infected links, is the media used for sending the links.

More details about W32.Mubla.Gen

The W32.Mubla.Gen worm will copy its malicious code to the compromised system using random names once it is executed. It can likewise considerably lower the system’s security settings since it will make a number or registry modifications to permit its code to execute every time Windows starts. This worm will also open up a back door in the compromised machine via IRC or Internet Relay Chat channels which will grant a remote hacker access to the machine. The back door capabilities of this security risk involve preventing the Windows firewall to block activity on ports. This malicious task is executed by the worm by launching a shell command and creating a particular registry entry. In the event that a port was successfully opened, the worm will try connecting to any of several predefined URLs to notify its remote author about the compromised system’s status.

The worm then patiently waits for its remote author to be connected to the compromised machine. When a connection has been established, the remote author will then give commands that are to be performed locally. These commands can include running and downloading more security risks in the affected machine, deleting critical system data and hiding folders and files. The W32.Mubla.Gen application has rootkit functions. The rootkit feature enables the user to function stealthily on the computer. It renames the files dropped by the program to appear as legitimate Windows files. The rootkit tool may disable active security applications on the computer such as firewalls and anti-malware programs.