Email-Worm.Win32.Merond.a

Email-Worm.Win32.Merond.a
Detection added Jan 21 2009 Update released Jan 21 2009 21:39 GMT Description added Mar 12 2009

Technical details
This worm spreads as an attachment to infected emails and also via file-sharing networks and removable media. The worm itself is a Windows PE EXE file. The worm’s executable file can vary between 150KB to 400KB in size.
Installation
The worm copies its executable file to the Windows system directory:
%System%javaupd.exe
%System%javaqs.exe
In order to ensure that the worm is launched automatically each time the system is booted, it adds a link to its executable file to the system registry:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
“Kaspersky Email Security” = “%System%javaupd.exe”
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun]
“Java update” = “%System%javaqs.exe”
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
“Java update” = “%System%javaqs.exe”
[HKLMSOFTWAREMicrosoftActive SetupInstalled Components{1A2K5H58-65CP-B7PP-F600-
3023OJX71M20}]
“StubPath” = “%System%javaqs.exe”
The worm also adds its executable file to the Windows firewall list of trusted applications.
Propagation via email
The worm harvests email addresses from files with the following extensions:
txt
htm
shtl
php
asp
dbx
dbh
wab
It also harvest addresses from the victim machine’s address book.
In order to send messages the worm attempts to establish a direct connection to SMTP servers. Messages are not sent to addresses which contain any of the strings listed below:
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
Security
accoun
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
berkeley
math
mit.e
gnu
fsf.
ibm.com
debian
kernel
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
sun.com
isi.e
isc.o
secur
acketst
pgp
apache
gimp
tanford.e
utgers.ed
mozilla
firefox
suse
redhat
sourceforge
slashdot
avp
syman
panda
avira
f-secure
sopho
http://www.ca.com
prevx
drweb
bitdefender
clamav
eset.com
ikarus
mcafee
kaspersky
virusbuster
icrosof
msn.
borlan
inpris
lavasoft
jgsoft
ghisler.com
wireshark
acdnet.com
acdsystems.com
acd-group
bpsoft.com
buyrar.com
bluewin.ch
quebecor.com
alcatel-lucent.com
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
messagelabs
honeynet
honeypot
idefense
qualys
spm
spam
www
abuse
.co
The messages sent look like this:

The zip archive contains a file called “ikea” which will have one of the extensions listed below:
.zip
.rar
.cab
.txt
.reg
.msi
.htm
.html
.bat
.cmd
.pif
.scr
.mov
.mp3
.wav
It also has an .exe extension after the first extension.
Propagation via P2P networks
The worm copies its executable file under one of the names listed below:
K-Lite codec pack 4.0 gold.exe
Youtube Music Downloader 1.0.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Password Cracker.exe
Adobe Acrobat Reader keygen.exe
Adobe Photoshop CS4 crack.exe
VmWare keygen.exe
WinRAR v3.x keygen RaZoR.exe
TCN ISO cable modem hacking tools.exe
TCN ISO SigmaX2 firmware.bin.exe
Red Alert 3 keygen and trainer.exe
Ad-aware 2008.exe
BitDefender AntiVirus 2009 Keygen.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne – Way Of Life,Khia – My Neck My Back Like My Pussy And My
Crack,Mario – Let Me Love You,R. Kelly – The Worlds Greatest).exe
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent – P.I.M.P, Jennifer Lopez Feat. Ll Cool J –
All I Have, 50 Cent – 21 Question).exe
Acker DVD Ripper 2009.exe
LimeWire Pro v4.18.3.exe
Download Accelerator Plus v8.7.5.exe
Opera 10 cracked.exe
Internet Download Manager V5.exe
Myspace theme collection.exe
Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe
Motorola, nokia, ericsson mobil phone tools.exe
Smart Draw 2008 keygen.exe
Microsoft Visual Studio 2008 KeyGen.exe
Absolute Video Converter 6.2.exe
Daemon Tools Pro 4.11.exe
Download Boost 2.0.exe
Silkroad Online guides and wallpapers.exe
Alcohol 120 v1.9.7.exe
CleanMyPC Registry Cleaner v6.02.exe
Super Utilities Pro 2009 11.0.exe
Power ISO v4.2 + keygen axxo.exe
G-Force Platinum v3.7.5.exe
Divx Pro 6.8.0.19 + keymaker.exe
Perfect keylogger family edition with crack.exe
Ultimate xxx password generator 2009.exe
Google Earth Pro 4.2. with Maps and crack.exe
xbox360 flashing tools and guide including bricked drive fix.exe
Sophos antivirus updater bypass.exe
Half life 3 preview 10 minutes gameplay video.exe
Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe
FOOTBALL MANAGER 2009.exe
Wow WoLTk keygen generator-sfx.exe
Joannas Horde Leveling Guide TBC Woltk.exe
Tuneup Ultilities 2008.exe
Kaspersky Internet Security 2009 keygen.exe
Windows XP PRO Corp SP3 valid-key generator.exe
to the shared folders of the following P2P clients:
grokster
emule
morpheus
limewire
tesla
winmx
DC++
Propagation via removable media
The worm copies its executable file to all removable media as shown below:
:redmond.exe
X is the name of the removable disk
In addition to its executable file, the worm also places the file shown below in the root of the disk:
:autorun.inf
This file will launch the worm’s executable file each time Explorer is used to open the infected disk.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
1. Use Task Manager to terminate the malicious program’s process.
2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following system registry parameters:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
“Kaspersky Email Security” = “%System%javaupd.exe”
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun]
“Java update” = “%System%javaqs.exe”
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
“Java update” = “%System%javaqs.exe”
[HKLMSOFTWAREMicrosoftActive SetupInstalled Components{1A2K5H58-65CP-B7PP-F600-
3023OJX71M20}]
“StubPath” = “%System%javaqs.exe”
4. Delete the following files:
5. %System%javaupd.exe
%System%javaqs.exe
6. Delete the files shown below from all removable storage media:
7. :autorun.inf
:redmond.exe
X is the name of the removable disk
8. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Tagged:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: