Virus:Worm/Merond.O
Date discovered:22/02/2010
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:251.904 Bytes
MD5 checksum:30798de49cea5c4a60998f60447e8576
IVDF version:7.10.04.122 - Monday, February 22, 2010

 General Method of propagation:
   • Email


Aliases:
   •  Panda: W32/Sinowal.WUH
   •  Eset: Win32/Merond.O
   •  Bitdefender: Worm.Generic.83963


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\jushed.exe
   • %SYSDIR%\sdra64.exe



The following files are created:

%SYSDIR%\lowsec\user.ds
%SYSDIR%\lowsec\local.ds
%SYSDIR%\javaz.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

%SYSDIR%\lowsec\user.ds.lll



It tries to executes the following file:

– Filename:
   • "%SYSDIR%\javaz.exe"

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "SunJavaUpdateSched12"="%SYSDIR%\jushed.exe"



The values of the following registry key are removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • APVXDWIN
   • AVG8_TRAY
   • AVP
   • BDAgent
   • CAVRID
   • DrWebScheduler
   • F-PROT Antivirus Tray application
   • ISTray
   • K7SystemTray
   • K7TSStart
   • McENUI
   • MskAgentexe
   • OfficeScanNT Monitor
   • RavTask
   • SBAMTray
   • SCANINICIO
   • SpIDerMail
   • Spam Blocker for Outlook Express
   • SpamBlocker
   • Windows Defender
   • avast!
   • cctray
   • egui
   • sbamui



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\jushed.exe"="%SYSDIR%\jushed.exe:*:Enabled:Explorer"



The following registry keys are added:

– [HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main]
   • "Start Page"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
   • "stinkinsun"="04"
   • "trashjava"="22"

– [HKEY_USERS\.DEFAULT\software\microsoft\windows\currentversion\
   explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
   • "{3039636B-5F3D-6C64-6675-696870667265}"=hex:F7,09,F2,0D
   • "{33373039-3132-3864-6B30-303233343434}"=hex:47,09,F2,0D



The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wma\OpenWithProgids]
   New value:
   • "WMAFile"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .avi\OpenWithProgids]
   New value:
   • "avifile"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpe\OpenWithProgids]
   New value:
   • "mpegfile"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .m1v\OpenWithProgids]
   New value:
   • "mpegfile"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .aif\OpenWithProgids]
   New value:
   • "AIFFFile"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .rmi\OpenWithProgids]
   New value:
   • "midfile"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .zip\OpenWithProgids]
   New value:
   • "CompressedFolder"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wri\OpenWithProgids]
   New value:
   • "wrifile"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .emf\OpenWithProgids]
   New value:
   • "emffile"=""

– [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\
   Winlogon]
   New value:
   • "ParseAutoexec"="1"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\sdra64.exe,"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
The sender of the email is one of the following:
   • invitations@hi5.com
   • invitations@twitter.com


To:
– Email addresses found in specific files on the system.


Subject:
One of the following:
   • Jessica would like to be your friend on hi5!
   • Your friend invited you to twitter!



Body:
– Contains HTML code.


Attachment:
The filename of the attachment is:
   • Invitation Card.zip

The attachment is an archive containing a copy of the malware itself.

 Injection –  It injects the following file into a process: javaz.exe

    Process name:
   • winlogon.exe



–  It injects the following file into a process: winlogon.exe

    Process name:
   • svchost.exe



–  It injects the following file into a process: svchost.exe

It is injected into all processes.


 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://whatismyip.com/automation/n09230945.asp

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, April 22, 2010
Description updated by Petre Galan on Thursday, April 22, 2010

Back . . . .