Content
W32/Merkur@MM
- Type
- Virus
- SubType
- E-mail worm
- Discovery Date
- 10/28/2002
- Length
- 45,056 bytes
- Minimum DAT
- 4231 (10/30/2002)
- Updated DAT
- 4231 (10/30/2002)
- Minimum Engine
- 5.1.00
- Description Added
- 10/28/2002
- Description Modified
- 11/22/2002 5:41 AM (PT)
Tab Navigation
Characteristics
This Visual Basic worm attempts to propagate via email, mIRC and P2P file-sharing applications (KaZaA, BearShare and eDonkey). Products using the 4168 DATs (or below) catch the virus as 'New Worm' if they have program heuristics enabled.
Installation
The virus overwrites two system files with a copy of itself:
- C:\WINDOWS\taskman.exe
- C:\WINDOWS\notepad.exe
It also attempts to copy itself as:
- C:\AutoExec.exe
- C:\WINDOWS\screensaver.exe
- C:\WINDOWS\SYSTEM\AVupdate.exe
- C:\Program Files\uninstall.exe (not observed in testing)
Strings within the virus suggest it also attempts to hook system startup by adding the following Registry key (not observed in tests):
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"AVupdate" = C:\WINDOWS\SYSTEM\AVupdate.exe
Email Propagation
The virus attempts to use the MAPI interface to mail itself to recipients listed in the Outlook contacts list. The mail is formatted as follows:
Subject: Update your Anti-virus software
Body: Here is a patch for your AV software, it will cover all the latest out breaks of worms ect (worms as in virus not earth worms! lol)
Attachment: 45,056 byte copy of the worm, filenames TASKMAN.EXE or AVUPDATE.EXE observed in testing
For example:
P2P Propagation
In order to attempt to spread over P2P file-sharing networks, the virus copies itself as follows:
- c:\program files\kazaa\my shared folder\IPspoofer.exe
- c:\program files\bearshare\shared\IPspoofer.exe
- c:\program files\eDonkey2000\incoming\IPspoofer.exe
- c:\program files\kazaa\my shared folder\Virtual Sex Simulator.exe
- c:\program files\bearshare\shared\Virtual Sex Simulator.exe
- c:\program files\eDonkey2000\incoming\Virtual Sex Simulator.exe
mIRC Propagation
The virus attempts to spread via mIRC as SCREENSAVER.EXE.
It drops a SCRIPT.INI file (363 bytes) into the C:\MIRC and C:\PROGRAM FILES\MIRC directories (overwriting any existing file). This file is detected as New IRC with the 4215 DATs or greater and macro heuristics enabled, and W32/Merkur.ini with the indicated DATs.
File deletion payload
The virus also attempts to drop and run (and subsequently delete) a batch file (p0rn.bat) which deletes files matching the following masks from P2P shared folders:
- *.jpg
- *.mpg
- *.bmp
- *.avi
Symptoms
Presence of the files detailed above.
Method of Infection
The virus attempts to spread via mailing itself to recipients in the Outlook address book, via mIRC, and via P2P file sharing.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- W32.HLLW.Merkur@mm (NAV)
- WORM_MERKUR.A (Trend)
Characteristics
Characteristics -
This Visual Basic worm attempts to propagate via email, mIRC and P2P file-sharing applications (KaZaA, BearShare and eDonkey). Products using the 4168 DATs (or below) catch the virus as 'New Worm' if they have program heuristics enabled.
Installation
The virus overwrites two system files with a copy of itself:
- C:\WINDOWS\taskman.exe
- C:\WINDOWS\notepad.exe
It also attempts to copy itself as:
- C:\AutoExec.exe
- C:\WINDOWS\screensaver.exe
- C:\WINDOWS\SYSTEM\AVupdate.exe
- C:\Program Files\uninstall.exe (not observed in testing)
Strings within the virus suggest it also attempts to hook system startup by adding the following Registry key (not observed in tests):
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"AVupdate" = C:\WINDOWS\SYSTEM\AVupdate.exe
Email Propagation
The virus attempts to use the MAPI interface to mail itself to recipients listed in the Outlook contacts list. The mail is formatted as follows:
Subject: Update your Anti-virus software
Body: Here is a patch for your AV software, it will cover all the latest out breaks of worms ect (worms as in virus not earth worms! lol)
Attachment: 45,056 byte copy of the worm, filenames TASKMAN.EXE or AVUPDATE.EXE observed in testing
For example:
P2P Propagation
In order to attempt to spread over P2P file-sharing networks, the virus copies itself as follows:
- c:\program files\kazaa\my shared folder\IPspoofer.exe
- c:\program files\bearshare\shared\IPspoofer.exe
- c:\program files\eDonkey2000\incoming\IPspoofer.exe
- c:\program files\kazaa\my shared folder\Virtual Sex Simulator.exe
- c:\program files\bearshare\shared\Virtual Sex Simulator.exe
- c:\program files\eDonkey2000\incoming\Virtual Sex Simulator.exe
mIRC Propagation
The virus attempts to spread via mIRC as SCREENSAVER.EXE.
It drops a SCRIPT.INI file (363 bytes) into the C:\MIRC and C:\PROGRAM FILES\MIRC directories (overwriting any existing file). This file is detected as New IRC with the 4215 DATs or greater and macro heuristics enabled, and W32/Merkur.ini with the indicated DATs.
File deletion payload
The virus also attempts to drop and run (and subsequently delete) a batch file (p0rn.bat) which deletes files matching the following masks from P2P shared folders:
- *.jpg
- *.mpg
- *.bmp
- *.avi
Symptoms
Symptoms -
Presence of the files detailed above.
Method of Infection
Method of Infection -
The virus attempts to spread via mailing itself to recipients in the Outlook address book, via mIRC, and via P2P file sharing.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
