Win32/Merond [Threat Name] go to Threat

Win32/Merond.L [Threat Variant Name]

Category worm
Size 265728 B
Detection created May 03, 2009
Detection database version 4050
Aliases Trojan.Win32.Buzus.axhl (Kaspersky)
  Generic.dx!bo.trojan (McAfee)
  W32.Ackantta.B@mm (Symantec)
Short description

The Win32/Merond.L is a worm that installs "Win32/Adware.Virtumonde" adware. It is able to spread via e-mail and P2P networks.

Installation

When executed, the worm copies itself into the following location:

  • %system%\­javaclp.exe (265728 B)

The following files are dropped into the %system% folder:

  • javasec1.exe (26112 B)
  • javasec2.exe (8704 B)
  • javasec3.exe (Win32/Adware.Virtumonde, 48640 B)
  • %variable1%.dll (Win32/Adware.Virtumonde, 48640 B)
  • %variable2%.dll (Win32/Adware.Virtumonde, 48640 B)
  • %variable3%.dll (Win32/Adware.Virtumonde, 48640 B)
  • %variable4% (1744 B)

A string with variable content is used instead of %variable1-4% .


The worm creates and runs a new thread with its own program code within the following processes:

  • %windir%\­explorer.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%random%" = "Rundll32.exe "%system%\­%variable2%.dll",s"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SunJavaUpdateSched v10" = "%system%\­javaclp.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "%system%\­%variable3%.dll"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center]
    • "UpdatesDisableNotify" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wuauserv]
    • "Start" = 4
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "MigrateProxy" = 1

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%system%\­javaclp.exe" = "%system%\­javaclp.exe:*:Enabled:Explorer"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%windir%\­explorer.exe" = "%windir%\­explorer.exe:*:Enabled:Explorer"

The performed data entry creates an exception in the Windows Firewall program.


It creates other Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{%GUID%}\­InprocServer32]
    • "(Default)" =  "%system%\­%variable1%.dll"
    • "ThreadingModel" = "Both"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­{%GUID%}]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Hardware Profiles\­Current\­Software\­Microsoft\­windows\­CurrentVersion\­Internet Settings]
    • "ProxyEnable" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer]
    • "sun" = "05"
    • "solaris" = "22"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "ProxyEnable" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­%random1%]
    • "%random2%" = "%random3%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CabinetFileState9]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CabinetFileState9]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "LoadAppInit_DLLs" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­DownloadManager]

A string with variable content is used instead of %GUID%, %random1-3% .

Spreading via shared folders and P2P networks

The worm searches for shared folders of the following programs:

  • ICQ
  • Grokster
  • eMule
  • Morpheus
  • LimeWire
  • Tesla
  • WinMX

It tries to place a copy of itself into the folders.


Its filename is one of the following:

  • Absolute Video Converter 6.2.exe
  • Ad-aware 2009.exe
  • Adobe Acrobat Reader keygen.exe
  • Adobe Photoshop CS4 crack.exe
  • Alcohol 120 v1.9.7.exe
  • AnyDVD HD v.6.3.1.8 Beta incl crack.exe
  • Avast 4.8 Professional.exe
  • AVS video converter6.exe
  • BitDefender AntiVirus 2009 Keygen.exe
  • CheckPoint ZoneAlarm And AntiSpy.exe
  • CleanMyPC Registry Cleaner v6.02.exe
  • Daemon Tools Pro 4.11.exe
  • Divx Pro 6.8.0.19 + keymaker.exe
  • Download Accelerator Plus v8.7.5.exe
  • Download Boost 2.0.exe
  • DVD Tools Nero 9 2 6 0.exe
  • G-Force Platinum v3.7.5.exe
  • Google Earth Pro 4.2. with Maps and crack.exe
  • Grand Theft Auto IV (Offline Activation).exe
  • Internet Download Manager V5.exe
  • K-Lite codec pack 3.10 full.exe
  • K-Lite codec pack 4.0 gold.exe
  • Kaspersky Internet Security 2009 keygen.exe
  • LimeWire Pro v4.18.3.exe
  • Magic Video Converter 8 0 2 18.exe
  • Microsoft Office 2007 Home and Student keygen.exe
  • Microsoft Visual Studio 2008 KeyGen.exe
  • Microsoft.Windows 7 Beta1 Build 7000 x86.exe
  • Motorola, nokia, ericsson mobil phone tools.exe
  • Myspace theme collection.exe
  • Nero 9 9.2.6.0 keygen.exe
  • Norton Anti-Virus 2009 Enterprise Crack.exe
  • Opera 9.62 International.exe
  • PDF password remover (works with all acrobat reader).exe
  • Perfect keylogger family edition with crack.exe
  • Power ISO v4.2 + keygen axxo.exe
  • Smart Draw 2008 keygen.exe
  • Sony Vegas Pro 8 0b Build 219.exe
  • Sophos antivirus updater bypass.exe
  • Super Utilities Pro 2009 11.0.exe
  • Total Commander7 license+keygen.exe
  • Tuneup Ultilities 2008.exe
  • Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
  • Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
  • Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
  • VmWare keygen.exe
  • Winamp.Pro.v6.53.PowerPack.Portable+installer.exe
  • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
  • Windows XP PRO Corp SP3 valid-key generator.exe
  • Windows2008 keygen and activator.exe
  • WinRAR v3.x keygen RaZoR.exe
  • Youtube Music Downloader 1.0.exe
Spreading on removable media

The worm creates the following folders:

  • %drive%\­RECYCLER\­S-1-6-21-2434476521-1645641927-702000330-1542\­

The following files are dropped in the same folder:

  • redmond.exe (265728 B)
  • Desktop.ini

The worm creates the following file:

  • %drive%\­autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Spreading via e-mail

The worm gathers e-mail addresses for further spreading by searching in the Windows Address Book (WAB).


Subject of the message is one of the following:

  • Job offer from Coca Cola!
  • Thank you for your application
  • You have got a new E-Card from your friend!
  • You have received A Hallmark E-Card!

The message body is obtained from the following web sites:

  • http://hallmark.com
  • http://www.americangreetings.com
  • http://www.us.huxleyengineering.com/en/SubmitCV/Home
  • http://www.thecoca-colacompany.com/careers

The attachment is a ZIP archive containing the .


Its filename is one of the following:

  • copy of your CV.zip
  • e-card.zip
  • job-application-form.zip
  • postcard.zip

Addresses containing the following strings are avoided:

  • .gov
  • .mil
  • abuse
  • accoun
  • acd-group
  • acdnet.com
  • acdsystems.com
  • acketst
  • admin
  • ahnlab
  • alcatel-lucent.com
  • anyone
  • apache
  • arin.
  • avira
  • berkeley
  • bitdefender
  • bluewin.ch
  • borlan
  • bpsoft.com
  • bsd
  • bugs
  • buyrar.com
  • certific
  • cisco
  • clamav
  • contact
  • debian
  • drweb
  • eset.com
  • example
  • feste
  • fido
  • firefox
  • f-secure
  • fsf.
  • ghisler.com
  • gimp
  • gnu
  • gold-certs
  • gov.
  • help
  • honeynet
  • honeypot
  • iana
  • ibm.com
  • icrosof
  • icrosoft
  • idenfense
  • ietf
  • ikarus
  • info
  • inpris
  • isc.o
  • isi.e
  • jgsoft
  • kaspersky
  • kernel
  • lavasoft
  • linux
  • listserv
  • math
  • mcafee
  • messagelabs
  • mit.e
  • mozilla
  • msn.
  • mydomai
  • nobody
  • nodomai
  • noone
  • not
  • nothing
  • ntvi
  • page
  • panda
  • pgp
  • postmaster
  • prevx
  • privacy
  • qualys
  • quebecor.com
  • rating
  • redhat
  • rfc-ed
  • root
  • ruslis
  • samples
  • security
  • sendmail
  • service
  • site
  • slashdot
  • soft
  • somebody
  • someone
  • sopho
  • sourceforge
  • spam
  • spm
  • submit
  • sun.com
  • support
  • suse
  • syman
  • tanford.e
  • the.bat
  • unix
  • usenet
  • utgers.ed
  • virusbuster
  • webmaster
  • wireshark
  • www.ca.com
  • www.secur
  • you
  • your
Other information

The worm blocks access to any domains that contain any of the following strings in their name:

  • aladdin.com
  • authentium.com
  • avast.com
  • avg.com
  • avp.com
  • bitdefender.com
  • ca.com
  • customer.symantec.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • eset.com
  • ewido.com
  • free-av.com
  • f-secure.com
  • global.ahnlab.com
  • grisoft.com
  • hispasec.com
  • ikarus-software.at
  • kaspersky.com
  • kaspersky-labs.com
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • mast.mcafee.com
  • mcafee.com
  • my-etrust.com
  • nai.com
  • networkassociates.com
  • pandasecurity.com
  • quickheal.com
  • securityresponse.symantec.com
  • sophos.com
  • symantec.com
  • trendmicro.com
  • us.mcafee.com
  • virus-buster.com
  • viruslist.com
  • virustotal.com

The following services are disabled:

  • antivirscheduler
  • antivirservice
  • APVXDWIN
  • aswupdsv
  • avast!
  • avast! Antivirus
  • AVG8_TRAY
  • avg8wd
  • AVP
  • BDAgent
  • bdss
  • CaCCProvSP
  • CAVRID
  • ccEvtMgr
  • ccproxy
  • ccpwdsvc
  • ccsetmgr
  • cctray
  • DrWebScheduler
  • egui
  • Ehttpsrv
  • ekrn
  • Emproxy
  • FPAVServer
  • F-PROT Antivirus Tray application
  • GWMSRV
  • ISTray
  • K7EmlPxy
  • K7RTScan
  • K7SystemTray
  • K7TSMngr
  • K7TSStart
  • LIVESRV
  • liveupdate
  • LiveUpdate Notice Service
  • McAfee HackerWatch Service
  • McENUI
  • mcmisupdmgr
  • mcmscsvc
  • MCNASVC
  • mcODS
  • mcpromgr
  • mcproxy
  • mcredirector
  • mcshield
  • mcsysmon
  • MPFSERVICE
  • MPS9
  • msk80service
  • MskAgentexe
  • navapsvc
  • OfficeScanNT Monitor
  • PANDA SOFTWARE CONTROLLER
  • PAVFNSVR
  • PAVPRSRV
  • PAVSVR
  • PSHOST
  • PSIMSVC
  • PSKSVCRETAIL
  • RavTask
  • RSCCenter
  • RSRavMon
  • Savadminservice
  • SAVScan
  • Savservice
  • SBAMTray
  • SCANINICIO
  • Sophos Autoupdate Service
  • Spam Blocker for Outlook Express
  • SpamBlocker
  • SpIDerMail
  • Symantec Core LC
  • ThreatFire
  • TPSRV
  • VSSERV
  • XCOMM

The following programs are terminated:

  • AlMon.exe
  • ALSvc.exe
  • APvxdwin.exe
  • ashdisp.exe
  • avcenter.exe
  • avciman.exe
  • AVENGINE.exe
  • avgnt.exe
  • avgrsx.exe
  • avgtray.exe
  • avguard.exe
  • avgwdsvc.exe
  • avp.exe
  • bdagent.exe
  • bdss.exe
  • CCenter.exe
  • drweb32w.exe
  • drwebupw.exe
  • egui.exe
  • ekrn.exe
  • emproxy.exe
  • FPAVServer.exe
  • FprotTray.exe
  • FPWin.exe
  • guardgui.exe
  • HWAPI.exe
  • iface.exe
  • isafe.exe
  • K7EmlPxy.exe
  • K7RTScan.exe
  • K7SysTry.exe
  • K7TSecurity.exe
  • K7TSMngr.exe
  • livesrv.exe
  • mcagent.exe
  • mcmscsvc.exe
  • McNASvc.exe
  • mcods.exe
  • mcpromgr.exe
  • McProxy.exe
  • Mcshield.exe
  • mcsysmon.exe
  • mcvsshld.exe
  • MpfSrv.exe
  • mps.exe
  • mskagent.exe
  • msksrver.exe
  • NTRtScan.exe
  • Pavbckpt.exe
  • PavFnSvr.exe
  • PavPrSrv.exe
  • PAVSRV51.exe
  • pccnt.exe
  • PSCtrlS.exe
  • PShost.exe
  • PsIMSVC.exe
  • psksvc.exe
  • Rav.exe
  • RavMon.exe
  • RavmonD.exe
  • RavStub.exe
  • RavTask.exe
  • RedirSvc.exe
  • SavAdminService.exe
  • SavMain.exe
  • SavService.exe
  • sbamtray.exe
  • sbamui.exe
  • spidergui.exe
  • SrvLoad.exe
  • TmListen.exe
  • TPSRV.exe
  • vetmsg.exe
  • vsserv.exe
  • Webproxy.exe
  • xcommsvr.exe

The worm contains a list of (16) URLs.


It tries to download several files from the addresses.


These are stored in the following locations:

  • c:\­%variable%
  • c:\­jseb.exe
  • c:\­belsng.exe
  • c:\­wenaagxu.exe
  • c:\­cpknj.exe
  • c:\­vgwsgax.exe
  • c:\­axvhql.exe
  • c:\­oweg.exe

A string with variable content is used instead of %variable% .


The files are then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.