W32.HLLW.Merkur@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all contacts in the Outlook Address Book. It also attempts to spread through the KaZaA, Bearshare and eDonkey file-sharing networks, as well as through mIRC. The email message has the following characteristics:
Subject: Update your Anti-virus Software
Attachment: Taskman.exe
The threat is written in the Microsoft Visual Basic programming language.
Also Known As: WORM_MERKUR.A [Trend], Win32.Merkur.A [CA], W32/Merkur@MM [McAfee]
Type: Worm
Infection Length: 45,056 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, Unix, Linux
protection
Wild:
* Number of infections: 0 - 49
* Number of sites: 0 - 2
* Geographical distribution: Low
* Threat containment: Easy
* Removal: Moderate
Threat Metrics
Low Low High
Wild:
Low
Damage:
Low
Distribution:
High
Damage
* Payload:
o Large scale e-mailing: sends itself to all contacts in Outlook Address Book
o Modifies files: C:\Windows\Taskman.exe C:\Windows\Notepad.exe C:\mIRC\Script.ini C:\Program files\mIRC\Script.ini
Distribution
* Subject of email: Update your Anti-virus Software
* Name of attachment: Taskman.exe
* Size of attachment: 45,056 bytes
* Target of infection: Copies itself to KaZaA, Bearshare and eDonkey shared folders, attempts to send itself to other mIRC users
technical details
When W32.HLLW.Merkur@mm runs, it does the following:
It copies itself as the following:
* C:\Autoexec.exe
* C:\Windows\Screensaver.exe
* C:\Windows\System\Avupdate.exe
* C:\Program Files\Uninstall.exe
* C:\Program Files\Kazaa\My Shared Folder\Ipspoofer.exe
* C:\Program Files\Kazaa\My Shared Folder\Virtual Sex Simulator.exe
* C:\Program Files\Bearshare\Shared\Ipspoofer.exe
* C:\Program Files\Bearshare\Shared\Virtual Sex Simulator.exe
* C:\Program Files\Edonkey2000\Incoming\Ipspoofer.exe
* C:\Program Files\Edonkey2000\Incoming\Virtual Sex Simulator.exe
NOTE: It can copy itself into the KaZaA, Bearshare, or eDonkey folders only if the folder already exists.
It also overwrites the following files with a copy of itself:
* C:\Windows\Taskman.exe
* C:\Windows\Notepad.exe
It creates a batch file named C:\Pr0n.bat, which deletes files that have the .jpg, .mpg, .bmp, or .avi extensions if the files are located in the following folders:
* C:\Program Files\Kazaa\My Shared Folder
* C:\Program Files\Bearshare\Shared
* C:\Program Files\eDonkey2000\Incoming
It adds the value
AVupdate C:\Windows\System\AVupdate.exe
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you restart Windows.
NOTE: During tests in the Symantec Security Response antivirus lab, the worm did not successfully copy itself as C:\Windows\System\AVupdate.exe.
If the C:\mIRC or C:\Program Files\mIRC folder exists, the worm overwrites or creates the mIRC script file Script.ini. It uses this to try to send itself to other mIRC users who connect to the same channel as the infected computer. The file name of the worm that is sent through mIRC is Screensaver.exe.
It uses Microsoft Outlook to send itself to all contacts in the Outlook Address Book. The email message has the following characteristics,
Subject: Update your Anti-virus Software
Message: Here is a patch for your AV software, it will cover all the latest out breaks of worms ect (worms as in virus not earth worms! lol)
Attachment: Taskman.exe
recommendations
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
* Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
* Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
* Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
* Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
* Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
removal instructions
NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Update the virus definitions.
2. Restart the computer in Safe mode.
3. Run a full system scan, and delete all files that are detected as W32.HLLW.Merkur@mm.
4. Remove the value
AVupdate C:\Windows\System\AVupdate.exe
from the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
5. Restore C:\Windows\Taskman.exe and C:\Windows\Notepad.exe, if necessary.
For details on how to do this, read the following instructions.
To update the virus definitions:
All virus definitions receive full quality assurance testing by Symantec Security Response before being posted to our servers. There are two ways to obtain the most recent virus definitions:
* Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
* Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.
Intelligent Updater virus definitions are available here . For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.
To restart the computer in Safe mode:
All Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document How to start the computer in Safe Mode.
To scan for and delete the infected files:
1. Start your Symantec antivirus program, and make sure that it is configured to scan all files.
o Norton AntiVirus consumer products: Read the document How to configure Norton AntiVirus to scan all files.
o Symantec enterprise antivirus products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
2. Run a full system scan.
3. If any files are detected as infected with W32.HLLW.Merkur@mm, click Delete.
To remove the value from the registry:
CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the value
AVupdate C:\Windows\System\AVupdate.exe
5. Exit the Registry Editor.
To restore C:\Windows\Taskman.exe and C:\Windows\Notepad.exe:
If either or both of these files were deleted by the worm, you should restore them from a clean backup or reinstall them. Read the documentation for your backup program or for Windows to find out how to do this for your operating system.