According to the observation of security firm McAfee Labs has discovered malware that can copy itself in help file at Windows to infect computer victim. This trojan is called Muster.e by McAfee anti-virus providers, where the Trojan can infect a Windows file named imepaden.hlp that one of the help file for Microsoft IME. Imepaden.hlp file served as the main component malware storage in encrypted form. However, the help file that is already infected can still be viewed with a WinHelp browser, similar to the original help files, and users is quite difficult to find an infection which has occurred from viewing the file.

When the malware that is installed removed, then the secret code in it, or the so-called sys file will be decrypted into an executable file called upgraderUI.exe with registry  HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVe rsion \ Run AutoPatch, and will run the installation file automatically that runs a Windows service.

Muster is a family of backdoor that have used the help file to hide himself. help files or .hlp is a data file that is designed to be viewed with Microsoft's WinHelp browser to provide online support for applications used by users. File .hlp is decrypted with Microsoft CryptAPI using difficult alorgorithm key and executed by the loader files, all happens in the hidden process. Those infected Windows help file clever enough to fool the user.

This Trojan is usually easier to work on the client-side computer. "Said Craig Schmugar, McAfee Labs threat analysts.

One scenario of this malware technique is a victim not aware of strange files and registry of UpgraderUI.exe, and then the user will delete the files and registry. They'll think have successfully removed the backdoor. In fact, when the same files and registry are back again and again everytime reboot the computer, the user still can not find any other suspicious files. Users will never know that the sys files have been infected, following also imepaden.hlp files.

Meanwhile, McAfee has been make an update, the McAfee VirusScan DATs 5861 or newer, which can detect and clean the infection for the help file and this backdoor file. McAfee detect this threat since January 14th, 2010.

source : www.beritanet.com/Technology/Security/Muster-Windows.html