Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
The Win32/Merond.L is a worm that installs "Win32/Adware.Virtumonde" adware. It is able to spread via e-mail and P2P networks.
Installation
When executed, the worm copies itself into the following location:
  • %system%\javaclp.exe (265728 B)
The following files are dropped into the %system% folder:
  • javasec1.exe (26112 B)
  • javasec2.exe (8704 B)
  • javasec3.exe (Win32/Adware.Virtumonde, 48640 B)
  • %variable1%.dll (Win32/Adware.Virtumonde, 48640 B)
  • %variable2%.dll (Win32/Adware.Virtumonde, 48640 B)
  • %variable3%.dll (Win32/Adware.Virtumonde, 48640 B)
  • %variable4% (1744 B)
A string with variable content is used instead of %variable1-4% .

The worm creates and runs a new thread with its own program code within the following processes:
  • %windir%\explorer.exe
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run]
    "%random%" = "Rundll32.exe "%system%\%variable2%.dll",s"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "SunJavaUpdateSched v10" = "%system%\javaclp.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Windows]
    "AppInit_DLLs" = "%system%\%variable3%.dll"
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "UpdatesDisableNotify" = 1
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    wuauserv]
    "Start" = 4
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Internet Settings]
    "MigrateProxy" = 1
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\
    AuthorizedApplications\List]
    "%system%\javaclp.exe" = "%system%\
    javaclp.exe:*:Enabled:Explorer"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\
    AuthorizedApplications\List]
    "%windir%\explorer.exe" = "%windir%\
    explorer.exe:*:Enabled:Explorer"
The performed data entry creates an exception in the Windows Firewall program.

It creates other registry entries:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{%GUID%}\
    InprocServer32]
    "(Default)" = "%system%\%variable1%.dll"
    "ThreadingModel" = "Both"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\Browser Helper Objects\{%GUID%}]
A string with variable content is used instead of %GUID%, %random1-3% .
Spreading via shared folders and P2P networks
The worm searches for shared folders of the following programs:
  • ICQ
  • Grokster
  • eMule
  • Morpheus
  • LimeWire
  • Tesla
  • WinMX
It tries to place a copy of itself into the folders. Its filename is one of the following:
  • Absolute Video Converter 6.2.exe
  • Ad-aware 2009.exe
  • Adobe Acrobat Reader keygen.exe
  • Adobe Photoshop CS4 crack.exe
  • Alcohol 120 v1.9.7.exe
Spreading on removable media
The worm creates the following folders:
  • %drive%\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\

The following files are dropped in the same folder:
  • redmond.exe (265728 B)
  • Desktop.ini
The worm creates the following file:
  • %drive%\autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Spreading via e-mail
The worm gathers e-mail addresses for further spreading by searching in the Windows Address Book (WAB).

Subject of the message is one of the following:
  • Job offer from Coca Cola!
  • Thank you for your application
  • You have got a new E-Card from your friend!
  • You have received A Hallmark E-Card!
The message body is obtained from the following web sites:
  • http://hallmark.com
  • http://www.americangreetings.com
  • http://www.us.huxleyengineering.com/en/SubmitCV/Home
  • http://www.thecoca-colacompany.com/careers
The attachment is a ZIP archive containing the worm . Its filename is one of the following:
  • copy of your CV.zip
  • e-card.zip
  • job-application-form.zip
  • postcard.zip
Addresses containing the following strings are avoided:
  • .gov
  • .mil
  • abuse
  • accoun
  • acd-group
Other information
The worm blocks access to any domains that contain any of the following strings in their name:
  • aladdin.com
  • authentium.com
  • avast.com
  • avg.com
  • avp.com
The following services are disabled:
  • antivirscheduler
  • antivirservice
  • APVXDWIN
  • aswupdsv
  • avast!
The following programs are terminated:
  • AlMon.exe
  • ALSvc.exe
  • APvxdwin.exe
  • ashdisp.exe
  • avcenter.exe
The worm contains a list of (16) URLs.

It tries to download several files from the addresses. These are stored in the following locations:
  • c:\%variable%
  • c:\jseb.exe
  • c:\belsng.exe
  • c:\wenaagxu.exe
  • c:\cpknj.exe
A string with variable content is used instead of %variable% .

The files are then executed.