Win32/Mefir [Threat Name] go to Threat
Win32/Mefir.A [Threat Variant Name]
| Category | virus |
| Size | 61440 B |
| Aliases | Trojan-Downloader.Win32.Agent.nyj (Kaspersky) |
| Worm:Win32/Rimcoss.A (Microsoft) | |
| MULDROP.Trojan (Dr.Web) |
Short description
Win32/Mefir.A is a file infector. The file is run-time compressed using UPX .
Executable file infection
Win32/Mefir.A is a file infector.
The virus searches local drives for files with the following file extensions:
- .exe
The virus infects the files by inserting its code at the beginning of the original program. The size of the inserted code is 61440 B .
When an infected file is executed, the original program is being dropped into a temporary file and run.
Spreading
The virus may create copies of itself in the folder:
- %drive%\Recycled
The following filename is used:
- cleardisk.pif
The following file is dropped into the %drive%\ folder:
- AutoRun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.
Other information
The virus attempts to delete the following files:
- %system%\notepod.exe
- %system%\rsvp.exe
- %system%\sytem.dll
- %system%\config\tin.exe
- %system%\disk.ico
The virus may replace these files with a copy of itself.
The virus may set the following Registry entries:
- [HKEY_CLASSES_ROOT\Applications\notepod.exe\shell\open\command]
- "(Default)" = "%windir%\notepod.exe "%1""
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt]
- "Application" = "notepod.exe"
The virus loads and injects the %system%\sytem.dll library into the following processes:
- explorer.exe
The virus creates the following folders:
- %windir%\Web\webpf
- %windir%\Web\webdc
- %windir%\Web\webpt
- %windir%\Web\webhp
- %windir%\Web\webxs
The virus may create copies of the following files (source, destination):
- *.pdf, %windir%\Web\webpf
- *.doc, %windir%\Web\webdc
- *.ppt, %windir%\Web\webpt
- *.hwp, %windir%\Web\webhp
- *.xls, %windir%\Web\webxs
The virus contains a list of (4) URLs. It tries to download several files from the addresses.
These are stored in the following locations:
- %system%\data.exe
- %system%\line.exe
- %system%\qs.exe
- %system%\config\tin.exe
The HTTP protocol is used.
The files are then executed.
The virus creates the following files:
- %temp%\rs.bat
The virus may delete the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{990B770D-62AE-5421-DA6D-16033B76258C}]
- [HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{990B770D-62AE-5421-DA6D-16033B76258C}]
The following services are disabled:
- RSVP