Win32/MewsSpy [Threat Name] go to Threat

Win32/MewsSpy.B [Threat Variant Name]

Category virus
Size 290336 B
Detection created Nov 19, 2013
Detection database version 9067
Aliases PSW.Agent.BDYH.trojan (AVG)
  Win32:Malware-gen (Avast)
Short description

Win32/MewsSpy.B is a file infector.


Installation

When executed, the virus copies itself into the following location:

  • %appdata%\­Microsoft\­%variable1%\­%variable2%

The %variable1% is one of the following strings:

  • SysWOW_x86_64
  • SysWOW_amd64
  • Sys32
  • XMMC
  • SView
  • SysWOW_32
  • Posix

The %variable2% is one of the following strings:

  • csrssys.exe
  • taskhostsys.exe
  • wlogon32.exe
  • dwmsys.exe
  • sidebar2.exe
  • lsassys.exe
  • SearchIndexerDB.exe
  • wininit32.exe

The %appdata%\Microsoft\%variable1%\%variable2% folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.


The virus creates the following files:

  • %appdata%\­Microsoft\­%variable1%\­%variable2%\­%variable3%.%variable4%

The %variable3% is one of the following strings:

  • ffx
  • msys
  • mdata
  • lust
  • icxml
  • ntw32
  • aeinv
  • apds
  • nthserv
  • teln32
  • openssh
  • srv_x86
  • nt32
  • winnt32
  • cygwin32

The %variable4% is one of the following strings:

  • dat
  • dll
  • exe
  • ocx
  • bin
  • dmp
  • sys
  • img

The virus then overwrites the file contents with random data.


The virus may create the following folders:

  • %appdata%\­Microsoft\­%variable1%\­%variable3%\­

The virus may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable5%" = "%appdata%\­%variable1%\­%variable2%"
  • [HKEY_CURRENT_USER\­Software\­Classes\­%variable5%]
    • "(Default)" = "application"
    • "Content-Type" = "application/x-msdownload"
  • [HKEY_CURRENT_USER\­Software\­Classes\­%variable5%\­DefaultIcon]
    • "(Default)" = "%1"
  • [HKEY_CURRENT_USER\­Software\­Classes\­%variable5%\­shell\­open\­command]
    • "(Default)" = "%appdata%\­%variable1%\­%variable2%" /START "%1" %*
    • "IsolatedCommand" = "%1" %*
  • [HKEY_CURRENT_USER\­Software\­Classes\­%variable3%\­shell\­runas\­command]
    • "(Default)" = "%1" %*
    • "IsolatedCommand" = "%1" %*
  • [HKEY_CURRENT_USER\­Software\­Classes\­.exe]
    • "(Default)" = "%variable5%"
    • "Content-Type" = "application/x-msdownload"
  • [HKEY_CURRENT_USER\­Software\­Classes\­.exe\­DefaultIcon]
    • "(Default)" = "%1"
  • [HKEY_CURRENT_USER\­Software\­Classes\­.exe\­shell\­open\­command]
    • "(Default)" = "%appdata%\­%variable1%\­%variable2%" /START "%1" %*
    • "IsolatedCommand" = "%1" %*
  • [HKEY_CURRENT_USER\­Software\­Classes\­.exe\­shell\­runas\­command]
    • "(Default)" = "%1" %*
    • "IsolatedCommand" = "%1" %*

This causes the virus to be executed on every system start.


The %variable5% is one of the following strings:

  • wexplorer
  • jitc
  • haldriver
  • systemui
  • prochost
  • halnt
  • cmos
  • ntdriver
Executable file infection

Win32/MewsSpy.B is a file infector.


The virus infects files stored on removable and network drives.


The virus searches for files with the following file extensions:

  • .exe

The virus infects the files by inserting its code at the beginning of the original file.


The size of the inserted code is 290336 B .


When the infected file is executed, the original file is written to a temporary file.


The original file is then executed.


The name of the temporary file is:

  • %currentfolder%\­%originalfilename%_%variable%.exe

A string with variable content is used instead of %variable% .

Information stealing

Win32/MewsSpy.B is a virus that steals sensitive information.


The virus collects the following information:

  • computer name
  • MAC address
  • user name
  • CPU information
  • memory status
  • application startup time
  • the list of installed software
  • list of running processes

The virus attempts to send gathered information to a remote machine.

Other information

The virus quits immediately if it is run within a debugger.


The virus quits immediately if it detects certain security applications running.


The virus interferes with the operation of some security applications to avoid detection.


The virus acquires data and commands from a remote computer or the Internet.


The virus contains a URL address. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • steal information from the Windows clipboard
  • send files to a remote computer
  • capture webcam video/voice
  • capture screenshots
  • perform DoS/DDoS attacks
  • log keystrokes
  • send gathered information

The virus may create the following files:

  • %temp%\­%variable%.wc.jpg
  • %temp%\­%variable%.sc.jpg
  • %temp%\­%variable%.wav
  • %temp%\­%variable%.sc.jpg.cr
  • %temp%\­%variable%.wc.jpg.cr
  • %temp%\­%variable%.wav.cr

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.