back to article Stubborn trojan stashes install file in Windows help

Security researchers have spied malware that stashes a copy of itself in a Windows help file to ensure victim computers remain infected. The trojan, dubbed Muster.e by anti-virus provider McAfee, infects a Windows file called imepaden.hlp so it stores the main components of the malware in encrypted form. In the event the …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    scan everything???

    This is why your weekly scan should be of all files, not just executables. Sure, it takes a long time (6hrs on my laptop), but it would find crap like this.

    1. Ken Hagan Gold badge

      Re: scan everything???

      "In the event the installed malware is removed, the secret payload is decrypted into an executable file called upgraderUI.exe and run by a companion installation file that automatically runs as a Windows service."

      Taking that quote at face value, we have *two* executable files in the chain. One is (presumably) permanently running and was presumably missed by the scanner both when it most recently loaded and when it was originally written to your disk. The second is called UpgraderUI.exe and is presumably also missed by the scanner.

      Asking *this* scanner to peruse the help file really isn't going to improve matters.

  2. Tom 7

    What Muckycoffee

    is really saying is we missed this old trick first time round.

  3. Graham Wilson

    McAfee seems surprised. Where the hell has McAfee been all these years?

    McAfee seems surprised. Where the hell has McAfee been all these years?

    "This is hiding in plain site," said Craig Schmugar, a threat researcher at McAfee Labs. "The help file trick is pretty new to us. Usually on the client, we don't see this very often."

    Am I reading this right? Is McAfee really saying that they are not used to viruses being stored in non-executable files?

    Are you going to tell me that the method this virus is using is somewhat neat and a new trick to Mc Afee? Viruses have been obfuscating themselves for years in all sorts of files, big deal.

    What he's really saying is that anti-virus software cheats. When scans are done, they are normally only done on executable files, exe, scr etc. to speed up the scan.

    Well, it's about time ALL AV software defaulted to scanning ALL files including those without an extent.

    Anyone who does not scan every file--executable or not--is a damn fool. No wonder I've not used McAfee for years.

    1. Keith Oldham

      Re : McAfee seems surprised. Where the hell has McAfee been all these years?

      So what is executing to extract/run this executable ?

  4. The Original Ash

    I migrated to Ubuntu last night

    I have my first issue to debug (PulseAudio, for those in the know). For the first time in around 4 years, I can't WAIT to get my teeth stuck in.

    Here's to being free of 99% of malware!

    1. Neil 6


      and 95% free of useful applications. Have fun.

      1. jake Silver badge

        @Neil 6

        Me old Mum has been running Slackware exclusively for well over a year. My Great Aunt, for over 6 months. My Wife can't remember the last time she booted into the XP side of her machine. My primary desktop has been Slackware for almost 15 years, with (mainly) BSD on the servers. Our businesses are running just fine, TYVM.

        Please tell me more about lack of useful applications; clearly I must be doing something wrong ...

    2. Rafael 1
      Thumb Up


      Just out of curiosity, what's on that 1%?

  5. Seanie Ryan
    IT Angle


    "The help file trick is pretty new to us. Usually on the client, we don't see this very often."

    if its NEW, then you have NEVER seen it.... !!!!

    if you dont see it very often, you have admitted to seeing it in the past, so it cant be new, you muppet.

    or maybe he meant he usually sees it on the cloud & servers, not the client !!! LOL

    1. Anonymous Coward
      Anonymous Coward

      To be fair...

      ....they never said it was new to them. They said it was `prettty new to them` which isn't the same thing....

  6. Paul Crawford Silver badge

    Smug as usual

    "No doubt it's also perplexed its share of users who for the life of them can't figure out how their PCs keep getting reinfected."

    Given Windows has 99.9% of all known malware, the answer to that is so obvious to any reader of El Reg. The penguin, or a Mac, is a good start, and learning how to use the damned thing without admin privileges and without saying "yes" to every dumb web borne suggestion that oozes its way in to view...

    Yes, I know a lot of folk have no option but windows, but then you can have a VM and if its gets stuffed, simple wipe and copy from a backup. Few minutes down (not hours or days of re-install, license, patch, configure, etc) and a fresh bit of Redmond meat for the viruses to start over again with.

  7. Anonymous Coward


    stop the 'my computers operating system is better' nonsense. Its all been done before and is getting very boring and largely irrelevance to the issue raised in the article.

  8. Paul Crawford Silver badge

    @Rafael 1

    Correct figure is around 99.9% from here:

    Totals are:

    Linux 1898

    OSX 48

    Windows 2247659

    (OK Apple fanbois have a smug snigger)

    @Neil 6

    Can you name 10 such applications that are Windows-only? I guess a few CAD programs are, but for most users you can get most tasks done on Mac or LINUX just fine (thinks: web browsing, email, IM, photo editing, word processing). Have I missed some 'killer app' here?

  9. Anonymous Coward
    Anonymous Coward


    So it needs the companion service to be running in order to reinfect the machine? Why are McAfee not removing this companion service?

    Or are they saying that they missed this service first time round and are frantically making excuses now? What are the other AV vendors saying?

  10. Filippo Silver badge
    Thumb Down

    companion service?

    I don't see where's the news. The machine has a compromised service running, and the antivirus doesn't remove it. Of freakin' course the virus will get reinstalled. I think viruses doing this have been around forever. Why would it make a difference if the executable is encrypted somewhere on the HDD? A malicious service could get it from anywhere it wants, up to and including from the 'net.

    Oh, and please can the pointless "Windows vs. any-OS-with-an-X" crap.

  11. Anonymous Coward

    the company that made help files dangerous

    > In the event the installed malware is removed, the secret payload is decrypted into an executable file called upgraderUI.exe and run by a companion installation file that automatically runs as a Windows service ..

    What other process does the decrypting and runs the executable and why doesn't the AV software pick it up.

    1. Ammaross Danan

      Insert Title Here

      The service executible just decrypts the virus from within the help file if the original virus is deleted. That is all it does, thus nothing would get flagged by a heuristics-type scan. A virus definition scan may pick it up if they thought of checking if a helper service was installed in addition to the actual virus, but it looks like an oversight.

      As for the hidden virus, no virus scanner can remove it because it is encrypted (presumably with a key generated upon infection), and thus not something that can be described by a "virus definition." They best they could do would be to check the .hlp file for any non-standard info (hashes of all versions of the file perhaps?) and simply quarantine it if it fails. Granted, now they know, they should check for the service exe and quarantine the .hlp if one if this virus is found. But that's just sensical, and what would an antivirus be (especially McAfee) if they did something that made sense?

  12. Wize

    @Paul Crawford

    I use many bits of software that are Windows only. Eg, programming packages for AB PLCs.

    1. jake Silver badge


      My winery's PLCs work just fine. I use OpenBSD ... thirty-odd years ago, I was using OSless PDP11s and occasionally Apple's 6502 gear to do the same thing. You might not know how to do it without Windows(c)[tm](r), but that doesn't mean it isn't being done.

  13. Anonymous Coward
    Anonymous Coward

    Cleaning Viruses on Desktops... a waste of time. Just reimage it. Takes about 20 mins. Problem solved. Doesn't matter how `clever` they are then.

    Well - unless they manage to write the code to some NVRAM chip or BIOS or something. Then you're fucked. But TBH if anyone of that calibre is specifically after you you're fucked anyway ;)

  14. Aaron 10
    Jobs Halo


    CHM (compiled help files) are a known vector for viruses. Get someone to open this help file (or put it in the RUN key or StartUp group) and that's it. Essentially, this is a trojan that is using a help file instead of the usual suspects (EXE, BAT, SCR, CMD, COM) to infect the system.

  15. Yakubu Abdulai

    So what is the way forward McAfee

    Even though I seem to understand the magnitude of the problem, what can we do to prevent the problem. For those of us who are supposedly not yet infected, what can we do?

This topic is closed for new posts.

Other stories you might like