Name: W32/Merkur-A Type: Win32 worm Date: 4 November 2002 At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Note: This IDE file detects W32/Merkur-A, mIRC/Merkur-A and Troj/Merkur-A. Description W32/Merkur-A arrives in an email with the following characteristics: Subject line: Update Your Anti-virus Software. Message text: Here is a patch for your AV software, it will cover all the latest out breaks of worms ect (worms as in virus not earth worms! lol) Attached file: AVupdate.exe. When executed W32/Merkur-A will create the following copies of itself: C:\WINDOWS\taskman.exe C:\AutoExec.exe C:\Windows\System\AVupdate.exe C:\Program Files\uninstall.exe C:\Windows\Notepad.exe C:\windows\screensaver.exe The following copies of the worm will be created if the respective folders already exist: C:\program files\kazaa\my shared folder\IPspoofer.exe C:\program files\kazaa\my shared folder\Virtual Sex Simulator.exe C:\program files\bearshare\shared\IPspoofer.exe C:\program files\bearshare\shared\Virtual Sex Simulator.exe C:\program files\eDonkey2000\incoming\IPspoofer.exe C:\program files\eDonkey2000\incoming\Virtual Sex Simulator.exe These copies of the worm enable the worm to spread over the KaZaA, Bearshare and eDonkey2000 peer-to-peer networks. The worm may create the following registry entry, which will point to the file C:\Windows\System\AVupdate.exe and will run the worm when Windows starts up: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVupdate The file script.ini will be created in the folder C:\mIRC if that folder already exists. This mIRC script will attempt to send a copy of the worm to users who join the current channel. This script is detected by Sophos Anti-Virus as mIRC/Merkur-A. The file pr0n.bat will be created in the root folder. This batch file will delete all JPG, MPG, BMP and AVI files from the folders: C:\Program Files\KaZaA\My Shared Folder\ C:\Program Files\bearshare\shared\ C:\Program Files\eDonkey2000\incoming\ This batch file is detected by Sophos Anti-Virus as Troj/Merkur-A. More information about W32/Merkur-A can be found at http://www.sophos.com/virusinfo/analyses/w32merkura.html