Discussion in 'malware problems & news' started by FanJ, Nov 4, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/Merkur-A
    Type: Win32 worm
    Date: 4 November 2002

    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    Note: This IDE file detects W32/Merkur-A, mIRC/Merkur-A and

    W32/Merkur-A arrives in an email with the following characteristics:

    Subject line: Update Your Anti-virus Software.
    Message text:
    Here is a patch for your AV software, it will cover all the
    latest out breaks of worms ect (worms as in virus not earth
    worms! lol)
    Attached file: AVupdate.exe.

    When executed W32/Merkur-A will create the following copies of itself:
    C:\Program Files\uninstall.exe

    The following copies of the worm will be created if the respective folders
    already exist:
    C:\program files\kazaa\my shared folder\IPspoofer.exe
    C:\program files\kazaa\my shared folder\Virtual Sex Simulator.exe
    C:\program files\bearshare\shared\IPspoofer.exe
    C:\program files\bearshare\shared\Virtual Sex Simulator.exe
    C:\program files\eDonkey2000\incoming\IPspoofer.exe
    C:\program files\eDonkey2000\incoming\Virtual Sex Simulator.exe

    These copies of the worm enable the worm to spread over the KaZaA, Bearshare and eDonkey2000 peer-to-peer networks.

    The worm may create the following registry entry, which will point
    to the file C:\Windows\System\AVupdate.exe and will run the worm when Windows starts up:


    The file script.ini will be created in the folder C:\mIRC if that folder already
    exists. This mIRC script will attempt to send a copy of the worm to users who join the current channel. This script is detected by Sophos Anti-Virus as mIRC/Merkur-A.

    The file pr0n.bat will be created in the root folder. This batch file will delete all JPG, MPG, BMP and AVI files from the folders:
    C:\Program Files\KaZaA\My Shared Folder\
    C:\Program Files\bearshare\shared\
    C:\Program Files\eDonkey2000\incoming\

    This batch file is detected by Sophos Anti-Virus as Troj/Merkur-A.

    More information about W32/Merkur-A can be found at
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.