New worm hitting the users of Microsoft
The Merkur worm is a Visual Basic script that spreads through file sharing networks such as KaZaA, Bearshare, and eDonkey, as well as through mIRC, an Internet Relay Chat program. It sends itself out to contacts mined from Outlook address books and targets computers running Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, and Windows Me.

The program copies itself into the infected computer's hard drive under the following names:

C:\Autoexec.exe
C:\Windows\Screensaver.exe
C:\Windows\System\Avupdate.exe
C:\Program Files\Uninstall.exe
C:\Program Files\Kazaa\My Shared Folder\Ipspoofer.exe
C:\Program Files\Kazaa\My Shared Folder\Virtual Sex Simulator.exe
C:\Program Files\Bearshare\Shared\Ipspoofer.exe
C:\Program Files\Bearshare\Shared\Virtual Sex Simulator.exe
C:\Program Files\Edonkey2000\Incoming\Ipspoofer.exe
C:\Program Files\Edonkey2000\Incoming\Virtual Sex Simulator.exe

The file sharing entries are named so as to entice other users to download the files and restart the infection process. This is a new trend in worms, using P2P networks as infection mechanisms.

Merkur also sends itself out as an attachment using the Outlook address book to mine for new email victims. Merkur is an executable attachment that must be double-clicked to start the infection process. Just reading the email without double clicking will not cause infection.

The email has the following characteristics:

Subject: Update your Anti-virus Software
Message: Here is a patch for your AV software, it will cover all the latest outbreaks of worms etc. (worms as in virus not earth worms! lol)
Attachment: Taskman.exe

Removal instructions
Symantec posts advice on how to remove the virus. McAfee and other antivirus products will have similar instructions on their websites.

Update the virus definitions.
Restart the computer in Safe mode.
Run a full system scan and delete all files that are detected as W32.HLLW.Merkur@mm.
Remove the value AVupdate C:\Windows\System\AVupdate.exe from the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
Restore C:\Windows\Taskman.exe and C:\Windows\Notepad.exe, if necessary.

So far the damage from this worm is estimated as low, but with multiple mechanisms for infection, the distribution is rated high.

posted by tommEE  # 10/31/2002 12:06:00 AM
Comments: Post a Comment



<< Home

archives


This page is powered by Blogger. Isn't yours?