Win32/Merond [Threat Name] go to Threat

Win32/Merond.O [Threat Variant Name]

Available cleaner [Download Merond.O Cleaner ]

Category virus,worm
Size 234496 B
Aliases Trojan.Win32.Buzus.avwn (Kaspersky)
  Worm:Win32/Prolaco.gen!C (Microsoft)
  W32/Xirtem@MM.virus (McAfee)
  W32.Ackantta!gen (Symantec)
Short description

Win32/Merond.O is a worm that spreads via e-mail, P2P networks and removable media.

Installation

When executed, the worm copies itself in some of the the following locations:

  • %system%\­javacq.exe
  • %system%\­javale.exe
  • %temp%\­javacq.exe
  • %temp%\­javale.exe

The worm creates the following files:

  • %system%\­javaloadr.exe (49664 B, Win32/Adware.Virtumonde.NEK)
  • %system%\­javame1.1.exe (52224 B, Win32/Merond.U)
  • %system%\­javase1.1.exe (10240 B, Win32/Injector.JL)
  • %system%\­javaee1.1.exe (51200 B, Win32/Adware.Virtumonde)

The files are then executed.


In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Sun Java Updater v7" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SunJavaUpdateSched v3.5" = "%malwarefilepath%"
    • "Sun Java Updater v7" = "%malwarefilepath%"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Microsoft\­Windows]
    • "proc" = 1
    • "dev" = "3.3"

The worm keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer]
    • "byte1" = "%variable%"
    • "code1" = "%variable% "
    • "javastation1.1" = "%variable%"
    • "ultrasparc1.1" =  "%variable%"

A string with variable content is used instead of %variable% .


The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%malwarefilepath%" = "%malwarefilepath%:*:Enabled:Explorer"

The performed command creates an exception in the Windows Firewall.

Spreading via P2P networks

Win32/Merond.O is a worm that spreads via P2P networks.


The worm searches for shared folders of the following programs:

  • ICQ
  • Grokster
  • eMule
  • Morpheus
  • LimeWire
  • Tesla
  • WinMX
  • Kazaa
  • Frostwire
  • DC++

The worm copies itself there using the following names:

  • K-Lite codec pack 4.0 gold.exe
  • Youtube Music Downloader 1.0.exe
  • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
  • Adobe Acrobat Reader keygen.exe
  • Adobe Photoshop CS4 crack.exe
  • VmWare keygen.exe
  • WinRAR v3.x keygen RaZoR.exe
  • BitDefender AntiVirus 2009 Keygen.exe
  • Norton Anti-Virus 2009 Enterprise Crack.exe
  • Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
  • Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
  • Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
  • Microsoft Office 2007 Home and Student keygen.exe
  • Total Commander7 license+keygen.exe
  • LimeWire Pro v4.18.3.exe
  • Download Accelerator Plus v8.7.5.exe
  • Internet Download Manager V5.exe
  • Myspace theme collection.exe
  • Nero 9 9.2.6.0 keygen.exe
  • Motorola, nokia, ericsson mobil phone tools.exe
  • Smart Draw 2008 keygen.exe
  • Microsoft Visual Studio 2008 KeyGen.exe
  • Absolute Video Converter 6.2.exe
  • Daemon Tools Pro 4.11.exe
  • Download Boost 2.0.exe
  • Avast 4.8 Professional.exe
  • Grand Theft Auto IV (Offline Activation).exe
  • Alcohol 120 v1.9.7.exe
  • CleanMyPC Registry Cleaner v6.02.exe
  • Super Utilities Pro 2009 11.0.exe
  • Power ISO v4.2 + keygen axxo.exe
  • G-Force Platinum v3.7.5.exe
  • Divx Pro 6.8.0.19 + keymaker.exe
  • Perfect keylogger family edition with crack.exe
  • Google Earth Pro 4.2. with Maps and crack.exe
  • AVS video converter6.exe
  • Sophos antivirus updater bypass.exe
  • PDF password remover (works with all acrobat reader).exe
  • Microsoft.Windows 7 Beta1 Build 7000 x86.exe
  • Windows2008 keygen and activator.exe
  • Tuneup Ultilities 2008.exe
  • Kaspersky Internet Security 2009 keygen.exe
  • Windows XP PRO Corp SP3 valid-key generator.exe
  • K-Lite codec pack 3.10 full.exe
  • CheckPoint ZoneAlarm And AntiSpy.exe
  • Sony Vegas Pro 8 0b Build 219.exe
  • AnyDVD HD v.6.3.1.8 Beta incl crack.exe
  • Ad-aware 2009.exe
  • Opera 9.62 International.exe
  • Magic Video Converter 8 0 2 18.exe
  • DVD Tools Nero 9 2 6 0.exe
  • Winamp.Pro.v6.53.PowerPack.Portable+installer.exe
  • Password Cracker.exe
  • TCN ISO cable modem hacking tools.exe
  • TCN ISO SigmaX2 firmware.bin.exe
  • Red Alert 3 keygen and trainer.exe
  • Ad-aware 2008.exe
  • Opera 10 cracked.exe
  • Ultimate xxx password generator 2009.exe
  • Half life 3 preview 10 minutes gameplay video.exe
  • Winamp.Pro.v6.53.PowerPack.Portable [XMaS edition].exe
Spreading via e-mail

Win32/Merond.O is a worm that spreads via e-mail.


E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .txt
  • .htm
  • .sht
  • .php
  • .asp
  • .dbx
  • .tbb
  • .adb
  • .pl
  • .wab

Addresses containing the following strings are avoided:

  • berkeley
  • unix
  • bsd
  • mit.e
  • gnu
  • fsf.
  • ibm.com
  • debian
  • kernel
  • linux
  • fido
  • usenet
  • iana
  • ietf
  • rfc-ed
  • sendmail
  • arin.
  • sun.com
  • isi.e
  • isc.o
  • secur
  • acketst
  • pgp
  • apache
  • gimp
  • tanford.e
  • utgers.ed
  • mozilla
  • firefox
  • suse
  • redhat
  • sourceforge
  • slashdot
  • cisco
  • syman
  • panda
  • avira
  • f-secure
  • sopho
  • www.ca.com
  • ahnlab
  • prevx
  • drweb
  • bitdefender
  • clamav
  • eset.com
  • ikarus
  • mcafee
  • kaspersky
  • virusbuster
  • icrosof
  • msn.
  • borlan
  • inpris
  • lavasoft
  • jgsoft
  • ghisler.com
  • wireshark
  • acdnet.com
  • acdsystems.com
  • acd-group
  • bpsoft.com
  • buyrar.com
  • bluewin.ch
  • quebecor.com
  • alcatel-lucent.com
  • example
  • mydomai
  • nodomai
  • ruslis
  • .gov
  • gov.
  • .mil
  • messagelabs
  • support
  • honeynet
  • honeypot
  • security
  • idefense
  • qualys
  • root
  • admin
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • security
  • accoun
  • samba
  • novirusthanks
  • sysinternals
  • ssh.com
  • winamp
  • nullsoft.org
  • virus
  • math
  • info
  • samples
  • postmaster
  • webmaster
  • noone
  • nobody
  • nothing
  • anyone
  • someone
  • your
  • you
  • me
  • bugs
  • rating
  • site
  • contact
  • soft
  • no
  • somebody
  • privacy
  • service
  • help
  • not
  • submit
  • feste
  • ca
  • gold-certs
  • the.bat
  • page
  • spm
  • spam
  • www
  • secur
  • abuse

Subject of the message is one of the following:

  • You have got a new E-Card from your friend!
  • You have received A Hallmark E-Card!

Body of the message may be one of the following:

You have got a new E-Card from your friend! To see the complete card check the attachment. You're a Wonderful Friend Because you make me laugh... Because you're there for me even before I ask... Because you understand me even when I'm not making sense... Because I don't know what I'd ever do without you... That's why our friendship means so much to me. Hello! You have recieved a Hallmark E-Card from your friend. To see it, check the attachment. There's something special about that E-Card feeling. We invite you to make a friend's day and send one. Hope to see you soon, Your friends at Hallmark

The attachment is a ZIP archive containing the .


Its name is one of the following:

  • e-card.zip
  • postcard.zip

The sender address is one of the following:

  • e-cards@americangreetings.com
  • e-cards@hallmark.com
Spreading on removable media

Win32/Merond.O is a worm that spreads via removable media.


The worm creates the following folders:

  • %drive%\­RECYCLER\­S-1-6-21-2434476521-1645641927-702000330-1542\­

The following files are dropped in the same folder:

  • Desktop.ini (511 B)
  • redmond.exe (234496 B)

The worm creates the following file:

  • %drive%\­autorun.inf (284 B)

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The following services are disabled:

  • Avast! Antivirus updating service
  • Avast Antivirus
  • AVG8 WatchDog
  • AntiVir Service
  • AntiVir Scheduler
  • BitDefender Communicator
  • BitDefender Security Update Service
  • BitDefender Anti-Virus service
  • BitDefender Threat Scanner Dll
  • BitDefender Virus Shield
  • CaCCProvSP
  • McAfee E-mail Proxy
  • McAfee HackerWatch Service
  • McAfee Network Agent
  • McAfee Personal Firewall Service
  • McAfee Privacy Service
  • McAfee Protection Manager
  • McAfee Proxy Service
  • McAfee Real-time Scanner
  • McAfee Redirector Service
  • McAfee Scanner
  • McAfee Services
  • McAfee Anti-Spam Service
  • McAfee SystemGuards
  • mcmisupdmgr
  • ESET HTTP Server
  • ESET Service
  • PC Tools Auxiliary Service
  • sdcodeservice
  • ThreatFire
  • VIPRE Antivirus Premium
  • F-PROT Antivirus
  • Rising Process Communication Center
  • Rav Service
  • K7Computng - EMail Proxy Server
  • K7RealTime AntiVirus Services
  • K7TotalSecurity Manager
  • Norton AntiVirus Auto Protect Service
  • Norton AntiVirus Firewall Monitor Service
  • Norton Protection Center Service
  • LiveUpdate
  • LiveUpdate Notice Service
  • Symantec AVScan
  • Symantec Core LC
  • Symantec Event Manager
  • Symantec Network Drivers Service
  • Symantec Network Proxy
  • Symantec Password Validation
  • Symantec Settings Manager
  • Symantec SPBBCSvc
  • Sophos Anti-Virus
  • Sophos Anti-Virus status reporter
  • Sophos Autoupdate Service
  • PAVSVR
  • Panda Function Service
  • Panda Goodware Cache Manager
  • Panda Host Service
  • Panda IManager Service
  • Panda Process Protection Service
  • Panda PSK service
  • Panda Software Controller
  • Panda TPSrv
  • Windows Defender
  • Kaspersky Anti-Virus

The following programs are terminated:

  • mcvsshld.exe
  • McProxy.exe
  • mps.exe
  • mcmscsvc.exe
  • mcpromgr.exe
  • McNASvc.exe
  • mcagent.exe
  • Mcshield.exe
  • HWAPI.exe
  • RedirSvc.exe
  • emproxy.exe
  • mcsysmon.exe
  • mcods.exe
  • MpfSrv.exe
  • msksrver.exe
  • mskagent.exe
  • PShost.exe
  • TPSRV.exe
  • avciman.exe
  • APvxdwin.exe
  • Pavbckpt.exe
  • iface.exe
  • PSCtrlS.exe
  • PavFnSvr.exe
  • PavPrSrv.exe
  • PsIMSVC.exe
  • psksvc.exe
  • PAVSRV51.exe
  • AVENGINE.exe
  • Webproxy.exe
  • SrvLoad.exe
  • avgnt.exe
  • guardgui.exe
  • avcenter.exe
  • avguard.exe
  • avgwdsvc.exe
  • avgrsx.exe
  • avgtray.exe
  • xcommsvr.exe
  • bdss.exe
  • bdagent.exe
  • livesrv.exe
  • ekrn.exe
  • egui.exe
  • sbamtray.exe
  • sbamui.exe
  • K7TSMngr.exe
  • K7RTScan.exe
  • K7EmlPxy.exe
  • K7SysTry.exe
  • K7TSecurity.exe
  • drweb32w.exe
  • drwebupw.exe
  • spidergui.exe
  • avp.exe
  • pccnt.exe
  • NTRtScan.exe
  • TmListen.exe
  • FPWin.exe
  • FprotTray.exe
  • FPAVServer.exe
  • SavService.exe
  • SavMain.exe
  • AlMon.exe
  • SavAdminService.exe
  • ALSvc.exe
  • Rav.exe
  • RavTask.exe
  • RavMon.exe
  • RavmonD.exe
  • RavStub.exe
  • CCenter.exe
  • isafe.exe
  • vsserv.exe
  • vetmsg.exe
  • ashdisp.exe

The following Registry entries are deleted:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SBAMTray"
    • "sbamui"
    • "cctray"
    • "CAVRID"
    • "BDAgent"
    • "egui"
    • "avast!"
    • "AVG8_TRAY"
    • "ISTray"
    • "K7SystemTray"
    • "K7TSStart"
    • "SpIDerMail"
    • "DrWebScheduler"
    • "AVP"
    • "OfficeScanNT Monitor"
    • "SpamBlocker"
    • "Spam Blocker for Outlook Express"
    • "F-PROT Antivirus Tray application"
    • "RavTask"
    • "APVXDWIN"
    • "SCANINICIO"
    • "McENUI"
    • "MskAgentexe"

The worm removes itself from the infected computer after 4 day(s).


The worm can open the following URLs:

  • http://hallmark.com
  • http://www.americangreetings.com
  • http://www.thecoca-colacompany.com/careers
  • http://us.huxley.com/en/SubmitCV/Home

The worm searches for the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­InetStp\­PathWWWRoot]
  • [HKEY_LOCAL_MACHINE\­Software\­Apache Software Foundation\­Apache\­%versioninformation%\­ServerRoot]

When the worm finds a record matching the search criteria, it creates a new copy of itself.


The following filename is used:

  • %pathwwwroot%\­ms09-067.exe
  • %serverroot%\­ms09-067.exe

It may also make changes to the following file in the same folder:

  • index.html

The HTML file contains information about the address of a malicious executable.

Please enable Javascript to ensure correct displaying of this content and refresh this page.