|
|
I-Worm.Merku Viruses Information
| Name: |
I-Worm.Merku |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Merkur
This is the worm virus spreading via the Internet being attached to infected emails, through P2P networks and IRC channels. The worm itself is a Windows PE EXE file about 45Kb of length written in Visual Basic.
The infected messages have following fields:
Subject: Update your Anti-virus Software
Attach is randomly selected from three variants:
AVupdate.exe
taskman.exe
uninstall.exe
Body:
Here is a patch for your AV software, it will cover all the latest out breaks of worms ect
(worms as in virus not earth worms! lol)
The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system and runs spreading routine.
Installing
While installing the worm copies itself to the system with following names:
c:WINDOWStaskman.exe
c:AutoExec.exe
c:WindowsSystemAVupdate.exe
c:Program Filesuninstall.exe
c:WindowsNotepad.exe
c:windowsscreensaver.exe
The "AVUpdate.exe" is then registered in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
AVupdate = c:WindowsSystemAVupdate.exe
All directory names are hardcoded in worm body, thus it fails to copy itself and infect the system in case there are not such directories as "C:Windows", e.t.c.
Spreading: Email
To get victim emails the worm connects to MS Outlook and sends messages to all addresses found in Outlook address book.
Spreading: IRC
The worm creates new "c:mIRCscript.ini" and "c:mIRCProgram Filesscript.ini" files and writes IRC commands to there that send the message to anybody who joins infected channel:
Hi want a cool screen saver?
and then send the worm copy with the "screensaver.exe" name.
Spreading: P2P
To spread through P2P networks the worm affects following Kazaa, eDonkey and BearShare directories by copying its copies into there:
c:program fileskazaamy shared folderIPspoofer.exe
c:program filesbearsharesharedIPspoofer.exe
c:program fileseDonkey2000incomingIPspoofer.exe
c:program fileskazaamy shared folderVirtual Sex Simulator.exe
c:program filesbearsharesharedVirtual Sex Simulator.exe
c:program fileseDonkey2000incomingVirtual Sex Simulator.exe
Trojan Routine
The worm also has trojan routine, that deletes all files:
*.jpg, *.mpg, *.bmp, *.avi
in directories:
C:Program FilesKazaaMy Shared Folder c:program filesbearshareshared c:program fileseDonkey2000incoming
To do that the worm drops trojan commands to c:pr0n.bat DOS batch file, executes it, and then deletes it.
Other
The worm displays message boxes:
on December 31st:
Win32.mercury@mm
allSaving the world before bed time...
on February 16th:
Win32.mercury@mm
...Win32.mercury Coded by Industry @ ANVXgroup...
on April 2nd:
Win32.mercury@mm
...Shout out to Every one @ Indovirus... |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Macro.Word97.Groovi
Virus.Win32.Aspade.181
Imi.153
Macro.Word.Agen
not-a-virus:Tool.Win32.Reboo
Jorgito.73
Win98.Milenniu
not-virus:Joke.Win32.FakeFormat.
Worm.P2P.Sddrop.
DMR.120
|
|
