WORM_MEXER.E

Discussion in 'malware problems & news' started by Randy_Bell, Sep 24, 2004.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    WORM_MEXER.E is a memory-resident worm that propagates via peer-to-peer (P2P) file-sharing networks, particularly Kazaa and Imesh, and by mailing copies of itself via Simple Mail Transfer Protocol (SMTP). This worm creates a folder and drops several copies of itself into this folder, using filenames that pertain to software, moviews, or games. It gathers email addresses from the infected system by scanning certain files for email addresses it can send to. WORM_MEXER.E is currently spreading in-the-wild and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.

    Upon execution, this memory-resident worm displays a message box. It then adds a registry entry that allows it to automatically execute at every system startup. To propagate via peer-to-peer file-sharing networks - specifically Kazaa and Imesh - the worm creates three more registry entries.

    This worm then creates a folder, named sysnet, in the root folder and drops 42 files in it. It also drops another set of randomly named files in this same folder. The filenames are formed using a combination of 70 different naming strings comprised of the titles or names of popular software, movies, and games. These filenames are meant to entice P2P network users to download and execute them. Read the Technical Details of the Virus Description for the full list of naming strings.

    This worm also searches for the following files: C:\*.DBX, C:\*.DOC, C:\*.HTM, C:\*.RTF, C:\*.SHT, C:\*.TXT, C:\*.WAB

    If found, the worm scans these files for email addresses and sends email to these addresses. It skips email addresses with the following strings: admi, host, kasp, micr, newv, root, supp, viru, webm

    It sends email via Simple Mail Transfer Protocol (SMTP) with any of the following details:

    Subject: EBAY Information
    Message body: EBAY Installer...
    Attachment: <files from the sysnet folder>

    Subject: VISA Information
    Message body: Security Tool...
    Attachment: <files from the sysnet folder>

    Subject: Provider Information
    Message body: New account data...
    Attachment: <files from the sysnet folder>

    Subject: Your Crack1
    Message body: Here is your crack!
    Attachment: <files from the sysnet folder>

    Subject: Internet Information
    Message body: New account data...
    Attachment: <files from the sysnet folder>

    If you would like to scan your computer for WORM_MEXER.E or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

    WORM_MEXER.E is detected and cleaned by Trend Micro pattern file 2.178.00 and above.
     
Thread Status:
Not open for further replies.