Be careful on help files

The other day, I came across a malware that attempts to hide its infection not in that technical but in the very unique way.

“Muster” is a family of backdoor which has been using help files for hiding themselves. The help files or “.hlp” files are data files designed to be viewed with Microsoft WinHelp browser for providing online helps for applications users. Earlier variants of “Muster” drop encoded copies of main backdoor components in filenames with the extension “.hlp”. These “.hlp”files are later decrypted with Microsoft CryptAPI with hardcoded keys and executed by loaders.

A recent variant “Muster.e” is using help files in a different way. Once installed, it infects to an existing help file called “imepaden.hlp” which is the one of the help files for Microsoft IME. Of course, this infected help file still can be viewed with WinHelp browser in the same manner as the original help file, and users hardly find its infection from the view.

How this is activated upon each machine boot? Muster.e also drops a sys file that is loaded as a service upon reboot. This sys file is responsible for extracting the appended executable file from the help file and copy it to a standalone executable file called “upgraderUI.exe”with the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run AutoPatch, which makes users to believe this is something related to a system update tool. On top of this, the malware authors also have crafted the sys file for deceiving users.

As you can see, this sys file has names like “MyDDKDevice” and “HelloDDK”, and is designed to dump many debug messages and which looks to be a typical test sys file compiled from a sample code in the layman’s guidebook for learning device driver programming. In fact, if you search on these words, you will see lots of web pages describing device driver programming. It is not that easy to tell why authors have created a sys file this way. However, regarding the efforts on hiding backdoors in help files, I don’t think bad guys have bored with creating a sys file from the scratch but more like tricking users that this is innocent.

One of the likely scenarios planned by the malware authors is this. Victims may notice the existences of this suspicious file UpgraderUI.exe and the registry key, and then they will delete the file and registry key. Then they would think they have removed this backdoor successfully. Even if they find the file and the registry key is coming back again and again on each reboot, users will not able to find any other suspicious files. Users will never imagine that the sys file is malicious or the infection to the file imepaden.hlp.

I don’t know if these deception techniques really work, however you might want to add help files to your checklist if your machine is suspected to be infected. McAfee VirusScan with DATs 5861 or later detects and cleans those infected help files and backdoor files.