Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mefir.A

Aliases:Trojan-Downloader.Win32.Agent.nyj (Kaspersky), Worm:Win32/Rimcoss.A (Microsoft), MULDROP.Trojan (Dr. Web) 
Type of infiltration:Virus  
Size:61440 B 
Affected platforms:Microsoft Windows 
Signature database version:2396 (20070712) 

Short description

Win32/Mefir.A is a file infector. The file is run-time compressed using UPX.

Executable file infection

Win32/Mefir.A is a file infector.

The virus searches local drives for files with the following file extensions:
  • .exe
The virus infects the files by inserting its code at the beginning of the original program. The size of the inserted code is 61440 B.

When an infected file is executed, the original program is being dropped into a temporary file and run.

Spreading

The virus may create copies of itself in the folder:
  • %drive%Recycled
The following filename is used:
  • cleardisk.pif
The following file is dropped into the %drive% folder:
  • AutoRun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.

Other information

The virus attempts to delete the following files:
  • %system%notepod.exe
  • %system%rsvp.exe
  • %system%sytem.dll
  • %system%configtin.exe
  • %system%disk.ico
The virus may replace these files with a copy of itself.

The virus may set the following Registry entries:
  • [HKEY_CLASSES_ROOTApplicationsnotepod.exeshellopen
    command]
    "(Default)" = "%windir%notepod.exe "%1""
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    ExplorerFileExts.txt]
    "Application" = "notepod.exe"
The virus loads and injects the %system%sytem.dll library into the following processes:
  • explorer.exe
The virus creates the following folders:
  • %windir%Webwebpf
  • %windir%Webwebdc
  • %windir%Webwebpt
  • %windir%Webwebhp
  • %windir%Webwebxs
The virus may create copies of the following files (source, destination):
  • *.pdf, %windir%Webwebpf
  • *.doc, %windir%Webwebdc
  • *.ppt, %windir%Webwebpt
  • *.hwp, %windir%Webwebhp
  • *.xls, %windir%Webwebxs
The virus contains a list of (4) URLs. It tries to download several files from the addresses.

These are stored in the following locations:
  • %system%data.exe
  • %system%line.exe
  • %system%qs.exe
  • %system%configtin.exe
The HTTP protocol is used.

The files are then executed.

The virus creates the following files:
  • %temp%rs.bat
The virus may delete the following Registry entries:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftActive Setup
    Installed Components{990B770D-62AE-5421-DA6D-16033B76258C}]
  • [HKEY_CURRENT_USERSoftwareMicrosoftActive SetupInstalled Components
    {990B770D-62AE-5421-DA6D-16033B76258C}]
The following services are disabled:
  • RSVP