Post

MusaLLaT.exe: From Prank to Pandemic Part 1 - History and Redemption of a Malware Creator

The information contained in this blog post is for informational purposes only and should not be construed as technical advice or instructions. I am not responsible for any harm or damage that may occur as of result of this information or sources provided in the post. By reading this post you acknowledge and agree that you do so at your own risk! Also the Banner image is generated with Microsoft Designer and Zoo 1

Delving into the Origins

In 2009, a young Turkish hacker, whose name will remain undisclosed, created a malware program called MusaLLaT.exe. Originally intended as a means of retaliation against his friend following a series of arguments, the program quickly spiraled out of control.

MusaLLaT.exe is a relatively straightforward malware program. It infiltrates computers through infected USB drives or network shares. Once installed, the program replicates itself in every folder on the infected computer.

The program’s name, MusaLLaT, translates from Turkish to “haunting” or “infested in a bad spiritual way.” This name fittingly describes a program that can rapidly stop or inconvenience an infected computer.

It is believed the hacker sent this virus to his friend using a USB stick. The exact message or interaction is unknown, but his friend used it, possibly due to a dispute they had a couple of days prior. As his friend used the USB at various locations—on his own computer, in his school’s computers, and at local office supply shops—the virus began a domino effect. One infected device led to two, two led to four, and the pattern continued exponentially, rapidly spreading the infection.

USB At the time everybody knew this USB stick had MusaLLaT.exe in it

The Widespread Effects of MusaLLaT.exe

In Turkey

MusaLLaT.exe quickly spread throughout Turkey. While it’s not certain, the initial reports of this virus surfaced in Izmir, and within a year, it had spread to nearly every city in Turkey. Finding a particularly fertile ground within schools where students unknowingly spread the program by using infected USB drives. The widespread impact within educational institutions stemmed from this very practice.

An additional challenge surfaced as the Ministry of Education introduced Smart Boards into classrooms during this period. These interactive devices initially operated on Windows 7, later upgrading to Windows 8 and 10. The virus found a pathway into these boards through students who unknowingly used their infected USBs to transfer presentation files onto the Smart Boards, unknowingly facilitating the infiltration. That’s how my classroom in high school got it.

Faith Projesi It was called the Faith ProjectFaith Projesi Faith Project

The exact damage caused by MusaLLaT.exe in unknown. But we know it had caused widespread damage mostly for operational costs, as the devices needed to be fully reset (at the time no Anti-Virus was working so IT departments and people simple re installed Windows). It had infected computers in businesses and government agencies. It also disrupted educational institutions some Smart Boards were not operational for couple of days. This can clearly be seen in when you browse the Turkish tech forums.

Schools Response

The infestation caused such a significant problem that government schools shared instructions on their websites regarding how to remove this virus, a practice that continues. The most intriguing aspect of these websites is that there are posts as recent as 2023. A whopping 12 years after the virus was created, and it still persists. Here are some examples:

World

The impact of MusaLLaT.exe extended beyond Turkey, affecting countries such as Germany, the USA, Russia, and Iran. Queries regarding the nature of the malware and methods to eliminate it surfaced in Russian forums (You can find many more examples from different countries, these are just examples):

According to several Turkish sources, MusaLLaT garnered attention with news headlines in multiple countries. While some evidence, such as pictures, suggests the existence of at least three headlines on certain news sites, these articles are currently inaccessible. For instance, I couldn’t locate any of the news headlines shown in a TikTok video related to MusaLLaT.

It's back New York TimesIt's back Der Spiegele

Searching the New York Times archives using a title like “Turkish Virus Swept The Whole World” didn’t yield any results. Should anyone come across these articles or have information about them, please feel free to leave a comment.

Some Interesting Examples

  • Personal Note: In 2015, I first encountered this virus on my high school’s smart board, which subsequently infected my friends’ computers. Recognizing it as a virus, I downloaded USB sanitizer software to prevent spread to my machines. Additionally, I searched for a program to eradicate the virus for my friends, teachers, and the smart boards. Unaware of the creator’s auto removal tool at that time, I eventually found a program that could remove it, though I regrettably can’t recall its name. Later, an upperclassman discovered another program and went around all smart boards in the school, running the program to eliminate the virus. I remember this because he entered our classroom with a teacher, explaining what he was doing—quite a memorable experience, to say the least!
  • In 2019, a Reddit user shared an experience, stating, “So I got the virus from an old flash drive, and my antivirus (SpyHunter) detected it but couldn’t remove it. The virus was named “MusaLLaT.exe,” translating to ‘haunting or infested in a spiritual way’ in Turkish.” This user believed the virus tampered with the game files, causing crashes. Later, in an edited comment, they mentioned using ‘hakkını_helal_et.exe’ to eliminate it. I’ll get this .exe in a minute.
  • It's back Date: Nov 28 2023 - It’s back baby!!

Searching ‘musallat.exe’ on Twitter, Facebook, Google etc yields various results, the most notable thing is it still exists now. Nevertheless, antivirus software can now swiftly detect and eliminate it.

It's back People Comparing to Ebola and Corona Virus

Journey of Realization and Remorse

Since its inception, across numerous Turkish forums and Twitter, Facebook, and essentially every on platform where sharing was feasible, the creator of this virus faced a barrage of insults and death threats. Presumably in response, in 2013 about 4 years later, the author of MusaLLaT.exe developed a tool called ‘hakkını helal et.exe’ to clean the MusaLLaT virus. They shared this tool at this address, which is currently inactive https://musallatexe.blogspot.com

hakkını helal et.exe Sadly the facebook link page doesn’t exists anymore

For those who don’t know, hakkını helal et is a Turkish Islamic term. Essentially, it is like this (incoming Islamic education);

Let’s say this person did something for you for free, as favor… They have “hak” on you. Or in another example, you are in taxi but you don’t have changes, and taxi driver let you pay less, they have “hak” on you. Hak is basically something that you somehow couldn’t pay back or match in favor back. So “hakkını helal et” means, “please let your hak go for free”. If you break someone’s heart, they have “hak” on you. If you steal someone’s money, they have “hak” on you.Your mother, your father have “hak” on you for raising you, your friends your siblings all have hak on you because they helped to shape your personality etc.

Hak is very important because in Islam. For example if you repent, all your sins could be forgiven. But Allah wont forgive “hak”, because it is not something you do against Allah. The one who has hak on you must say “helal olsun” for you to be forgiven. And if you arent forgiven you will certainly go to hell.

This probably the funniest incident in the realm of antivirus’s.

You might immediately question whether this program can be trusted. After all, the person created the virus, and using this program could potentially inflict another blow by removing it. However, I’ve tested the program, and it works. It successfully cleans viruses from both the computer and infected flash drives.

Unveiling the Malware’s Technical Capbilites - Part 1

You can Download MusaLLaT.exe and hakkını_hellal_et.exe from this Github Repo. The password for the files are “infected”.

  • Written in VSBasic. It utilizes an Autorun.ini file from USB drives to automatically execute itself.
  • It manipulates the hosts file to block access to certain antivirus sites, stoping antivirus downloads and updates.
  • It can sometimes disable Task Manager, although I’ve personally never encountered this occurrence.
  • One of its actions involves creating new .exe files within all computer folders, each bearing the same name as the parent folder. This behavior is reminiscent of the commonly known Newfolder.Exe virus.

Essentially it would look lie this:

1
2
3
4
5
6
📂 Documents
  └☣️Documents.exe
  └📁 Yes Really
      └☣️Yes Really.exe
      └📁 Cool
          └☣️Cool.exe

USB Drive Sample Folder .exe

It was relatively easy to identify if your USB drive was infected because the virus created additional files on the drive.

1
2
3
4
5
Personal_USB F:/
  └☣️MusaLLaT.exe
  └☣️Personal_USB.exe
  └☣️ .lnk ## Empty Name
  └☣️Özel Dosyalar.exe ## Means Special Files

USB Drive Sample USB Drive

In the next part I’ll be reverse engineering this MusaLLaT.exe to hopefully see the underlying code.

This post is licensed under CC BY 4.0 by the author.