Win32/Merond [Threat Name] go to Threat
Win32/Merond.O [Threat Variant Name]
Available cleaner [Download Merond.O Cleaner ]
Category | virus,worm |
Size | 234496 B |
Aliases | Trojan.Win32.Buzus.avwn (Kaspersky) |
Worm:Win32/Prolaco.gen!C (Microsoft) | |
W32/Xirtem@MM.virus (McAfee) | |
W32.Ackantta!gen (Symantec) |
Short description
Win32/Merond.O is a worm that spreads via e-mail, P2P networks and removable media.
Installation
When executed, the worm copies itself in some of the the following locations:
- %system%\javacq.exe
- %system%\javale.exe
- %temp%\javacq.exe
- %temp%\javale.exe
The worm creates the following files:
- %system%\javaloadr.exe (49664 B, Win32/Adware.Virtumonde.NEK)
- %system%\javame1.1.exe (52224 B, Win32/Merond.U)
- %system%\javase1.1.exe (10240 B, Win32/Injector.JL)
- %system%\javaee1.1.exe (51200 B, Win32/Adware.Virtumonde)
The files are then executed.
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "Sun Java Updater v7" = "%malwarefilepath%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "SunJavaUpdateSched v3.5" = "%malwarefilepath%"
- "Sun Java Updater v7" = "%malwarefilepath%"
The following Registry entries are set:
- [HKEY_CURRENT_USER\Microsoft\Windows]
- "proc" = 1
- "dev" = "3.3"
The worm keeps various information in the following Registry keys:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
- "byte1" = "%variable%"
- "code1" = "%variable% "
- "javastation1.1" = "%variable%"
- "ultrasparc1.1" = "%variable%"
A string with variable content is used instead of %variable% .
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%malwarefilepath%" = "%malwarefilepath%:*:Enabled:Explorer"
The performed command creates an exception in the Windows Firewall.
Spreading via P2P networks
Win32/Merond.O is a worm that spreads via P2P networks.
The worm searches for shared folders of the following programs:
- ICQ
- Grokster
- eMule
- Morpheus
- LimeWire
- Tesla
- WinMX
- Kazaa
- Frostwire
- DC++
The worm copies itself there using the following names:
- K-Lite codec pack 4.0 gold.exe
- Youtube Music Downloader 1.0.exe
- Windows 2008 Enterprise Server VMWare Virtual Machine.exe
- Adobe Acrobat Reader keygen.exe
- Adobe Photoshop CS4 crack.exe
- VmWare keygen.exe
- WinRAR v3.x keygen RaZoR.exe
- BitDefender AntiVirus 2009 Keygen.exe
- Norton Anti-Virus 2009 Enterprise Crack.exe
- Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
- Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
- Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
- Microsoft Office 2007 Home and Student keygen.exe
- Total Commander7 license+keygen.exe
- LimeWire Pro v4.18.3.exe
- Download Accelerator Plus v8.7.5.exe
- Internet Download Manager V5.exe
- Myspace theme collection.exe
- Nero 9 9.2.6.0 keygen.exe
- Motorola, nokia, ericsson mobil phone tools.exe
- Smart Draw 2008 keygen.exe
- Microsoft Visual Studio 2008 KeyGen.exe
- Absolute Video Converter 6.2.exe
- Daemon Tools Pro 4.11.exe
- Download Boost 2.0.exe
- Avast 4.8 Professional.exe
- Grand Theft Auto IV (Offline Activation).exe
- Alcohol 120 v1.9.7.exe
- CleanMyPC Registry Cleaner v6.02.exe
- Super Utilities Pro 2009 11.0.exe
- Power ISO v4.2 + keygen axxo.exe
- G-Force Platinum v3.7.5.exe
- Divx Pro 6.8.0.19 + keymaker.exe
- Perfect keylogger family edition with crack.exe
- Google Earth Pro 4.2. with Maps and crack.exe
- AVS video converter6.exe
- Sophos antivirus updater bypass.exe
- PDF password remover (works with all acrobat reader).exe
- Microsoft.Windows 7 Beta1 Build 7000 x86.exe
- Windows2008 keygen and activator.exe
- Tuneup Ultilities 2008.exe
- Kaspersky Internet Security 2009 keygen.exe
- Windows XP PRO Corp SP3 valid-key generator.exe
- K-Lite codec pack 3.10 full.exe
- CheckPoint ZoneAlarm And AntiSpy.exe
- Sony Vegas Pro 8 0b Build 219.exe
- AnyDVD HD v.6.3.1.8 Beta incl crack.exe
- Ad-aware 2009.exe
- Opera 9.62 International.exe
- Magic Video Converter 8 0 2 18.exe
- DVD Tools Nero 9 2 6 0.exe
- Winamp.Pro.v6.53.PowerPack.Portable+installer.exe
- Password Cracker.exe
- TCN ISO cable modem hacking tools.exe
- TCN ISO SigmaX2 firmware.bin.exe
- Red Alert 3 keygen and trainer.exe
- Ad-aware 2008.exe
- Opera 10 cracked.exe
- Ultimate xxx password generator 2009.exe
- Half life 3 preview 10 minutes gameplay video.exe
- Winamp.Pro.v6.53.PowerPack.Portable [XMaS edition].exe
Spreading via e-mail
Win32/Merond.O is a worm that spreads via e-mail.
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
- .txt
- .htm
- .sht
- .php
- .asp
- .dbx
- .tbb
- .adb
- .pl
- .wab
Addresses containing the following strings are avoided:
- berkeley
- unix
- bsd
- mit.e
- gnu
- fsf.
- ibm.com
- debian
- kernel
- linux
- fido
- usenet
- iana
- ietf
- rfc-ed
- sendmail
- arin.
- sun.com
- isi.e
- isc.o
- secur
- acketst
- pgp
- apache
- gimp
- tanford.e
- utgers.ed
- mozilla
- firefox
- suse
- redhat
- sourceforge
- slashdot
- cisco
- syman
- panda
- avira
- f-secure
- sopho
- www.ca.com
- ahnlab
- prevx
- drweb
- bitdefender
- clamav
- eset.com
- ikarus
- mcafee
- kaspersky
- virusbuster
- icrosof
- msn.
- borlan
- inpris
- lavasoft
- jgsoft
- ghisler.com
- wireshark
- acdnet.com
- acdsystems.com
- acd-group
- bpsoft.com
- buyrar.com
- bluewin.ch
- quebecor.com
- alcatel-lucent.com
- example
- mydomai
- nodomai
- ruslis
- .gov
- gov.
- .mil
- messagelabs
- support
- honeynet
- honeypot
- security
- idefense
- qualys
- root
- admin
- icrosoft
- support
- ntivi
- unix
- bsd
- linux
- listserv
- certific
- security
- accoun
- samba
- novirusthanks
- sysinternals
- ssh.com
- winamp
- nullsoft.org
- virus
- math
- info
- samples
- postmaster
- webmaster
- noone
- nobody
- nothing
- anyone
- someone
- your
- you
- me
- bugs
- rating
- site
- contact
- soft
- no
- somebody
- privacy
- service
- help
- not
- submit
- feste
- ca
- gold-certs
- the.bat
- page
- spm
- spam
- www
- secur
- abuse
Subject of the message is one of the following:
- You have got a new E-Card from your friend!
- You have received A Hallmark E-Card!
Body of the message may be one of the following:
The attachment is a ZIP archive containing the .
Its name is one of the following:
- e-card.zip
- postcard.zip
The sender address is one of the following:
- e-cards@americangreetings.com
- e-cards@hallmark.com
Spreading on removable media
Win32/Merond.O is a worm that spreads via removable media.
The worm creates the following folders:
- %drive%\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\
The following files are dropped in the same folder:
- Desktop.ini (511 B)
- redmond.exe (234496 B)
The worm creates the following file:
- %drive%\autorun.inf (284 B)
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The following services are disabled:
- Avast! Antivirus updating service
- Avast Antivirus
- AVG8 WatchDog
- AntiVir Service
- AntiVir Scheduler
- BitDefender Communicator
- BitDefender Security Update Service
- BitDefender Anti-Virus service
- BitDefender Threat Scanner Dll
- BitDefender Virus Shield
- CaCCProvSP
- McAfee E-mail Proxy
- McAfee HackerWatch Service
- McAfee Network Agent
- McAfee Personal Firewall Service
- McAfee Privacy Service
- McAfee Protection Manager
- McAfee Proxy Service
- McAfee Real-time Scanner
- McAfee Redirector Service
- McAfee Scanner
- McAfee Services
- McAfee Anti-Spam Service
- McAfee SystemGuards
- mcmisupdmgr
- ESET HTTP Server
- ESET Service
- PC Tools Auxiliary Service
- sdcodeservice
- ThreatFire
- VIPRE Antivirus Premium
- F-PROT Antivirus
- Rising Process Communication Center
- Rav Service
- K7Computng - EMail Proxy Server
- K7RealTime AntiVirus Services
- K7TotalSecurity Manager
- Norton AntiVirus Auto Protect Service
- Norton AntiVirus Firewall Monitor Service
- Norton Protection Center Service
- LiveUpdate
- LiveUpdate Notice Service
- Symantec AVScan
- Symantec Core LC
- Symantec Event Manager
- Symantec Network Drivers Service
- Symantec Network Proxy
- Symantec Password Validation
- Symantec Settings Manager
- Symantec SPBBCSvc
- Sophos Anti-Virus
- Sophos Anti-Virus status reporter
- Sophos Autoupdate Service
- PAVSVR
- Panda Function Service
- Panda Goodware Cache Manager
- Panda Host Service
- Panda IManager Service
- Panda Process Protection Service
- Panda PSK service
- Panda Software Controller
- Panda TPSrv
- Windows Defender
- Kaspersky Anti-Virus
The following programs are terminated:
- mcvsshld.exe
- McProxy.exe
- mps.exe
- mcmscsvc.exe
- mcpromgr.exe
- McNASvc.exe
- mcagent.exe
- Mcshield.exe
- HWAPI.exe
- RedirSvc.exe
- emproxy.exe
- mcsysmon.exe
- mcods.exe
- MpfSrv.exe
- msksrver.exe
- mskagent.exe
- PShost.exe
- TPSRV.exe
- avciman.exe
- APvxdwin.exe
- Pavbckpt.exe
- iface.exe
- PSCtrlS.exe
- PavFnSvr.exe
- PavPrSrv.exe
- PsIMSVC.exe
- psksvc.exe
- PAVSRV51.exe
- AVENGINE.exe
- Webproxy.exe
- SrvLoad.exe
- avgnt.exe
- guardgui.exe
- avcenter.exe
- avguard.exe
- avgwdsvc.exe
- avgrsx.exe
- avgtray.exe
- xcommsvr.exe
- bdss.exe
- bdagent.exe
- livesrv.exe
- ekrn.exe
- egui.exe
- sbamtray.exe
- sbamui.exe
- K7TSMngr.exe
- K7RTScan.exe
- K7EmlPxy.exe
- K7SysTry.exe
- K7TSecurity.exe
- drweb32w.exe
- drwebupw.exe
- spidergui.exe
- avp.exe
- pccnt.exe
- NTRtScan.exe
- TmListen.exe
- FPWin.exe
- FprotTray.exe
- FPAVServer.exe
- SavService.exe
- SavMain.exe
- AlMon.exe
- SavAdminService.exe
- ALSvc.exe
- Rav.exe
- RavTask.exe
- RavMon.exe
- RavmonD.exe
- RavStub.exe
- CCenter.exe
- isafe.exe
- vsserv.exe
- vetmsg.exe
- ashdisp.exe
The following Registry entries are deleted:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "SBAMTray"
- "sbamui"
- "cctray"
- "CAVRID"
- "BDAgent"
- "egui"
- "avast!"
- "AVG8_TRAY"
- "ISTray"
- "K7SystemTray"
- "K7TSStart"
- "SpIDerMail"
- "DrWebScheduler"
- "AVP"
- "OfficeScanNT Monitor"
- "SpamBlocker"
- "Spam Blocker for Outlook Express"
- "F-PROT Antivirus Tray application"
- "RavTask"
- "APVXDWIN"
- "SCANINICIO"
- "McENUI"
- "MskAgentexe"
The worm removes itself from the infected computer after 4 day(s).
The worm can open the following URLs:
- http://hallmark.com
- http://www.americangreetings.com
- http://www.thecoca-colacompany.com/careers
- http://us.huxley.com/en/SubmitCV/Home
The worm searches for the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\InetStp\PathWWWRoot]
- [HKEY_LOCAL_MACHINE\Software\Apache Software Foundation\Apache\%versioninformation%\ServerRoot]
When the worm finds a record matching the search criteria, it creates a new copy of itself.
The following filename is used:
- %pathwwwroot%\ms09-067.exe
- %serverroot%\ms09-067.exe
It may also make changes to the following file in the same folder:
- index.html
The HTML file contains information about the address of a malicious executable.