I was roving around today on the McAfee TrustedSource Research Blog website and came across a very interesting entry about malware writers using Help files to mask infection sources. This is not a new technique but a recent variant known as Muster.e has some characteristics that are interesting.
Muster.e infects the “imepaden.hlp” help file. This help file is used for Microsoft IME – input method editor. IME allows a user to enter characters or symbols not found on their input device. So, a user with a Western keyboard could enter Asian characters. This help file can be viewed normally even when infected. The infection creates a system service that extracts the virus executable portion from the help file after each reboot. So, even if you clean out the registry key and remove the malicious file it creates, the device remains infected due to the compromised “imepaden.hlp” file.
McAfee does mention that their AV product does detect and clean this infection. However, this research shows another trick that attackers use to maintain a foothold on infected systems. When was the last time you were working on an infected system and asked the user about what HLP files they had been looking at recently?
Thanks for reading & let’s continue to be good network citizens!