Email-Worm.Win32.Merond.a

Technical Details

This worm spreads as an attachment to infected emails and also via file-sharing networks and removable media. The worm itself is a Windows PE EXE file. The worm’s executable file can vary between 150KB to 400KB in size.

Installation

The worm copies its executable file to the Windows system directory:

%System%\javaupd.exe
%System%\javaqs.exe

In order to ensure that the worm is launched automatically each time the system is booted, it adds a link to its executable file to the system registry:

The worm also adds its executable file to the Windows firewall list of trusted applications.

Propagation via email

The worm harvests email addresses from files with the following extensions:

txt
htm
shtl
php
asp
dbx
dbh
wab

It also harvest addresses from the victim machine’s address book.

In order to send messages the worm attempts to establish a direct connection to SMTP servers. Messages are not sent to addresses which contain any of the strings listed below:

admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
Security
accoun
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
berkeley
math
mit.e
gnu
fsf.
ibm.com
debian
kernel
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
sun.com
isi.e
isc.o
secur
acketst
pgp
apache
gimp
tanford.e
utgers.ed
mozilla
firefox
suse
redhat
sourceforge
slashdot
avp
syman
panda
avira
f-secure
sopho
www.ca.com
prevx
drweb
bitdefender
clamav
eset.com
ikarus
mcafee
kaspersky
virusbuster
icrosof
msn.
borlan
inpris
lavasoft
jgsoft
ghisler.com
wireshark
acdnet.com
acdsystems.com
acd-group
bpsoft.com
buyrar.com
bluewin.ch
quebecor.com
alcatel-lucent.com
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
messagelabs
honeynet
honeypot
idefense
qualys
spm
spam
www
abuse
.co

The messages sent look like this:

The zip archive contains a file called "ikea" which will have one of the extensions listed below:

.zip
.rar
.cab
.txt
.reg
.msi
.htm
.html
.bat
.cmd
.pif
.scr
.mov
.mp3
.wav

It also has an .exe extension after the first extension.

Propagation via P2P networks

The worm copies its executable file under one of the names listed below:

to the shared folders of the following P2P clients:

grokster
emule
morpheus
limewire
tesla
winmx
DC++

Propagation via removable media

The worm copies its executable file to all removable media as shown below:

X is the name of the removable disk

In addition to its executable file, the worm also places the file shown below in the root of the disk:

This file will launch the worm's executable file each time Explorer is used to open the infected disk.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the malicious program’s process.
2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following system registry parameters:
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Kaspersky Email Security" = "%System%\javaupd.exe"
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
   "Java update" = "%System%\javaqs.exe"
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Java update" = "%System%\javaqs.exe"
   [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1A2K5H58-65CP-B7PP-F600-
   3023OJX71M20}]
   "StubPath" = "%System%\javaqs.exe"
4. Delete the following files:

   %System%\javaupd.exe
   %System%\javaqs.exe

5. Delete the files shown below from all removable storage media:

   <X>:\autorun.inf
   <X>:\redmond.exe 

   X is the name of the removable disk

6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).