W32/Merkur-A

Discussion in 'malware problems & news' started by FanJ, Nov 4, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/Merkur-A
    Type: Win32 worm
    Date: 4 November 2002


    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    Note: This IDE file detects W32/Merkur-A, mIRC/Merkur-A and
    Troj/Merkur-A.

    Description
    W32/Merkur-A arrives in an email with the following characteristics:

    Subject line: Update Your Anti-virus Software.
    Message text:
    Here is a patch for your AV software, it will cover all the
    latest out breaks of worms ect (worms as in virus not earth
    worms! lol)
    Attached file: AVupdate.exe.

    When executed W32/Merkur-A will create the following copies of itself:
    C:\WINDOWS\taskman.exe
    C:\AutoExec.exe
    C:\Windows\System\AVupdate.exe
    C:\Program Files\uninstall.exe
    C:\Windows\Notepad.exe
    C:\windows\screensaver.exe

    The following copies of the worm will be created if the respective folders
    already exist:
    C:\program files\kazaa\my shared folder\IPspoofer.exe
    C:\program files\kazaa\my shared folder\Virtual Sex Simulator.exe
    C:\program files\bearshare\shared\IPspoofer.exe
    C:\program files\bearshare\shared\Virtual Sex Simulator.exe
    C:\program files\eDonkey2000\incoming\IPspoofer.exe
    C:\program files\eDonkey2000\incoming\Virtual Sex Simulator.exe

    These copies of the worm enable the worm to spread over the KaZaA, Bearshare and eDonkey2000 peer-to-peer networks.

    The worm may create the following registry entry, which will point
    to the file C:\Windows\System\AVupdate.exe and will run the worm when Windows starts up:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVupdate

    The file script.ini will be created in the folder C:\mIRC if that folder already
    exists. This mIRC script will attempt to send a copy of the worm to users who join the current channel. This script is detected by Sophos Anti-Virus as mIRC/Merkur-A.

    The file pr0n.bat will be created in the root folder. This batch file will delete all JPG, MPG, BMP and AVI files from the folders:
    C:\Program Files\KaZaA\My Shared Folder\
    C:\Program Files\bearshare\shared\
    C:\Program Files\eDonkey2000\incoming\

    This batch file is detected by Sophos Anti-Virus as Troj/Merkur-A.



    More information about W32/Merkur-A can be found at
    http://www.sophos.com/virusinfo/analyses/w32merkura.html
     
Thread Status:
Not open for further replies.