Win32/Mefir [Threat Name] go to Threat

Win32/Mefir.A [Threat Variant Name]

Category virus
Size 61440 B
Aliases Trojan-Downloader.Win32.Agent.nyj (Kaspersky)
  Worm:Win32/Rimcoss.A (Microsoft)
  MULDROP.Trojan (Dr.Web)
Short description

Win32/Mefir.A is a file infector. The file is run-time compressed using UPX .

Executable file infection

Win32/Mefir.A is a file infector.


The virus searches local drives for files with the following file extensions:

  • .exe

The virus infects the files by inserting its code at the beginning of the original program. The size of the inserted code is 61440 B .


When an infected file is executed, the original program is being dropped into a temporary file and run.

Spreading

The virus may create copies of itself in the folder:

  • %drive%\­Recycled

The following filename is used:

  • cleardisk.pif

The following file is dropped into the %drive%\ folder:

  • AutoRun.inf

Thus, the virus ensures it is started each time infected media is inserted into the computer.

Other information

The virus attempts to delete the following files:

  • %system%\­notepod.exe
  • %system%\­rsvp.exe
  • %system%\­sytem.dll
  • %system%\­config\­tin.exe
  • %system%\­disk.ico

The virus may replace these files with a copy of itself.


The virus may set the following Registry entries:

  • [HKEY_CLASSES_ROOT\­Applications\­notepod.exe\­shell\­open\­command]
    • "(Default)" = "%windir%\­notepod.exe "%1""
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­FileExts\­.txt]
    • "Application" = "notepod.exe"

The virus loads and injects the %system%\sytem.dll library into the following processes:

  • explorer.exe

The virus creates the following folders:

  • %windir%\­Web\­webpf
  • %windir%\­Web\­webdc
  • %windir%\­Web\­webpt
  • %windir%\­Web\­webhp
  • %windir%\­Web\­webxs

The virus may create copies of the following files (source, destination):

  • *.pdf, %windir%\­Web\­webpf
  • *.doc, %windir%\­Web\­webdc
  • *.ppt, %windir%\­Web\­webpt
  • *.hwp, %windir%\­Web\­webhp
  • *.xls, %windir%\­Web\­webxs

The virus contains a list of (4) URLs. It tries to download several files from the addresses.


These are stored in the following locations:

  • %system%\­data.exe
  • %system%\­line.exe
  • %system%\­qs.exe
  • %system%\­config\­tin.exe

The HTTP protocol is used.


The files are then executed.


The virus creates the following files:

  • %temp%\­rs.bat

The virus may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Active Setup\­Installed Components\­{990B770D-62AE-5421-DA6D-16033B76258C}]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Active Setup\­Installed Components\­{990B770D-62AE-5421-DA6D-16033B76258C}]

The following services are disabled:

  • RSVP

Please enable Javascript to ensure correct displaying of this content and refresh this page.