Results 1 to 10 of 10

Thread: Merkur Worm

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050

    Merkur Worm

    hello people look like there is a new worm in the wild the merkur worm Heres a story from abc.com

    http://abcnews.go.com/sections/scite...orm021030.html

    The Merkur worm is a Visual Basic script that spreads through file sharing networks such as KaZaA, Bearshare, and eDonkey, as well as through mIRC, an Internet Relay Chat program.

    It also sends itself out to contacts mined from Outlook address books and targets computers running Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, and Windows Me.
    follow the link for the full story

    heres a report from symatec

    http://www.symantec.com/avcenter/ven...merkur@mm.html

    W32.HLLW.Merkur@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all contacts in the Outlook Address Book. It also attempts to spread through the KaZaA, Bearshare and eDonkey file-sharing networks, as well as through mIRC. The email message has the following characteristics:

    Subject: Update your Anti-virus Software
    Attachment: Taskman.exe

    The threat is written in the Microsoft Visual Basic programming language.

    Also Known As: WORM_MERKUR.A [Trend], Win32.Merkur.A [CA], W32/Merkur@MM [McAfee]
    Type: Worm
    Infection Length: 45,056 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, OS/2, Unix, Linux

    protection

    Wild:

    * Number of infections: 0 - 49
    * Number of sites: 0 - 2
    * Geographical distribution: Low
    * Threat containment: Easy
    * Removal: Moderate

    Threat Metrics
    Low Low High

    Wild:
    Low

    Damage:
    Low

    Distribution:
    High

    Damage

    * Payload:
    o Large scale e-mailing: sends itself to all contacts in Outlook Address Book
    o Modifies files: C:\Windows\Taskman.exe C:\Windows\Notepad.exe C:\mIRC\Script.ini C:\Program files\mIRC\Script.ini

    Distribution

    * Subject of email: Update your Anti-virus Software
    * Name of attachment: Taskman.exe
    * Size of attachment: 45,056 bytes
    * Target of infection: Copies itself to KaZaA, Bearshare and eDonkey shared folders, attempts to send itself to other mIRC users

    technical details

    When W32.HLLW.Merkur@mm runs, it does the following:

    It copies itself as the following:

    * C:\Autoexec.exe
    * C:\Windows\Screensaver.exe
    * C:\Windows\System\Avupdate.exe
    * C:\Program Files\Uninstall.exe
    * C:\Program Files\Kazaa\My Shared Folder\Ipspoofer.exe
    * C:\Program Files\Kazaa\My Shared Folder\Virtual Sex Simulator.exe
    * C:\Program Files\Bearshare\Shared\Ipspoofer.exe
    * C:\Program Files\Bearshare\Shared\Virtual Sex Simulator.exe
    * C:\Program Files\Edonkey2000\Incoming\Ipspoofer.exe
    * C:\Program Files\Edonkey2000\Incoming\Virtual Sex Simulator.exe


    NOTE: It can copy itself into the KaZaA, Bearshare, or eDonkey folders only if the folder already exists.

    It also overwrites the following files with a copy of itself:

    * C:\Windows\Taskman.exe
    * C:\Windows\Notepad.exe


    It creates a batch file named C:\Pr0n.bat, which deletes files that have the .jpg, .mpg, .bmp, or .avi extensions if the files are located in the following folders:

    * C:\Program Files\Kazaa\My Shared Folder
    * C:\Program Files\Bearshare\Shared
    * C:\Program Files\eDonkey2000\Incoming


    It adds the value

    AVupdate C:\Windows\System\AVupdate.exe

    to the registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you restart Windows.

    NOTE: During tests in the Symantec Security Response antivirus lab, the worm did not successfully copy itself as C:\Windows\System\AVupdate.exe.

    If the C:\mIRC or C:\Program Files\mIRC folder exists, the worm overwrites or creates the mIRC script file Script.ini. It uses this to try to send itself to other mIRC users who connect to the same channel as the infected computer. The file name of the worm that is sent through mIRC is Screensaver.exe.

    It uses Microsoft Outlook to send itself to all contacts in the Outlook Address Book. The email message has the following characteristics,

    Subject: Update your Anti-virus Software
    Message: Here is a patch for your AV software, it will cover all the latest out breaks of worms ect (worms as in virus not earth worms! lol)
    Attachment: Taskman.exe

    recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    * Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    * If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    * Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
    * Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    * Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    * Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    * Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

    removal instructions


    NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    1. Update the virus definitions.
    2. Restart the computer in Safe mode.
    3. Run a full system scan, and delete all files that are detected as W32.HLLW.Merkur@mm.
    4. Remove the value

    AVupdate C:\Windows\System\AVupdate.exe

    from the registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    5. Restore C:\Windows\Taskman.exe and C:\Windows\Notepad.exe, if necessary.

    For details on how to do this, read the following instructions.

    To update the virus definitions:
    All virus definitions receive full quality assurance testing by Symantec Security Response before being posted to our servers. There are two ways to obtain the most recent virus definitions:

    * Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
    * Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.

    Intelligent Updater virus definitions are available here . For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.


    To restart the computer in Safe mode:
    All Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document How to start the computer in Safe Mode.

    To scan for and delete the infected files:

    1. Start your Symantec antivirus program, and make sure that it is configured to scan all files.
    o Norton AntiVirus consumer products: Read the document How to configure Norton AntiVirus to scan all files.
    o Symantec enterprise antivirus products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
    2. Run a full system scan.
    3. If any files are detected as infected with W32.HLLW.Merkur@mm, click Delete.


    To remove the value from the registry:

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and then click OK. The Registry Editor opens.
    3. Navigate to the key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    4. In the right pane, delete the value

    AVupdate C:\Windows\System\AVupdate.exe

    5. Exit the Registry Editor.


    To restore C:\Windows\Taskman.exe and C:\Windows\Notepad.exe:
    If either or both of these files were deleted by the worm, you should restore them from a clean backup or reinstall them. Read the documentation for your backup program or for Windows to find out how to do this for your operating system.
    so heads up those of you using kazza and other p2p software and outlook
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050

    Merkur Worm

    hello people look like there is a new worm in the wild the merkur worm Heres a story from abc.com

    http://abcnews.go.com/sections/scite...orm021030.html

    The Merkur worm is a Visual Basic script that spreads through file sharing networks such as KaZaA, Bearshare, and eDonkey, as well as through mIRC, an Internet Relay Chat program.

    It also sends itself out to contacts mined from Outlook address books and targets computers running Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, and Windows Me.
    follow the link for the full story

    heres a report from symatec

    http://www.symantec.com/avcenter/ven...merkur@mm.html

    W32.HLLW.Merkur@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all contacts in the Outlook Address Book. It also attempts to spread through the KaZaA, Bearshare and eDonkey file-sharing networks, as well as through mIRC. The email message has the following characteristics:

    Subject: Update your Anti-virus Software
    Attachment: Taskman.exe

    The threat is written in the Microsoft Visual Basic programming language.

    Also Known As: WORM_MERKUR.A [Trend], Win32.Merkur.A [CA], W32/Merkur@MM [McAfee]
    Type: Worm
    Infection Length: 45,056 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, OS/2, Unix, Linux

    protection

    Wild:

    * Number of infections: 0 - 49
    * Number of sites: 0 - 2
    * Geographical distribution: Low
    * Threat containment: Easy
    * Removal: Moderate

    Threat Metrics
    Low Low High

    Wild:
    Low

    Damage:
    Low

    Distribution:
    High

    Damage

    * Payload:
    o Large scale e-mailing: sends itself to all contacts in Outlook Address Book
    o Modifies files: C:\Windows\Taskman.exe C:\Windows\Notepad.exe C:\mIRC\Script.ini C:\Program files\mIRC\Script.ini

    Distribution

    * Subject of email: Update your Anti-virus Software
    * Name of attachment: Taskman.exe
    * Size of attachment: 45,056 bytes
    * Target of infection: Copies itself to KaZaA, Bearshare and eDonkey shared folders, attempts to send itself to other mIRC users

    technical details

    When W32.HLLW.Merkur@mm runs, it does the following:

    It copies itself as the following:

    * C:\Autoexec.exe
    * C:\Windows\Screensaver.exe
    * C:\Windows\System\Avupdate.exe
    * C:\Program Files\Uninstall.exe
    * C:\Program Files\Kazaa\My Shared Folder\Ipspoofer.exe
    * C:\Program Files\Kazaa\My Shared Folder\Virtual Sex Simulator.exe
    * C:\Program Files\Bearshare\Shared\Ipspoofer.exe
    * C:\Program Files\Bearshare\Shared\Virtual Sex Simulator.exe
    * C:\Program Files\Edonkey2000\Incoming\Ipspoofer.exe
    * C:\Program Files\Edonkey2000\Incoming\Virtual Sex Simulator.exe


    NOTE: It can copy itself into the KaZaA, Bearshare, or eDonkey folders only if the folder already exists.

    It also overwrites the following files with a copy of itself:

    * C:\Windows\Taskman.exe
    * C:\Windows\Notepad.exe


    It creates a batch file named C:\Pr0n.bat, which deletes files that have the .jpg, .mpg, .bmp, or .avi extensions if the files are located in the following folders:

    * C:\Program Files\Kazaa\My Shared Folder
    * C:\Program Files\Bearshare\Shared
    * C:\Program Files\eDonkey2000\Incoming


    It adds the value

    AVupdate C:\Windows\System\AVupdate.exe

    to the registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you restart Windows.

    NOTE: During tests in the Symantec Security Response antivirus lab, the worm did not successfully copy itself as C:\Windows\System\AVupdate.exe.

    If the C:\mIRC or C:\Program Files\mIRC folder exists, the worm overwrites or creates the mIRC script file Script.ini. It uses this to try to send itself to other mIRC users who connect to the same channel as the infected computer. The file name of the worm that is sent through mIRC is Screensaver.exe.

    It uses Microsoft Outlook to send itself to all contacts in the Outlook Address Book. The email message has the following characteristics,

    Subject: Update your Anti-virus Software
    Message: Here is a patch for your AV software, it will cover all the latest out breaks of worms ect (worms as in virus not earth worms! lol)
    Attachment: Taskman.exe

    recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    * Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    * If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    * Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
    * Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    * Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    * Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    * Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

    removal instructions


    NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    1. Update the virus definitions.
    2. Restart the computer in Safe mode.
    3. Run a full system scan, and delete all files that are detected as W32.HLLW.Merkur@mm.
    4. Remove the value

    AVupdate C:\Windows\System\AVupdate.exe

    from the registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    5. Restore C:\Windows\Taskman.exe and C:\Windows\Notepad.exe, if necessary.

    For details on how to do this, read the following instructions.

    To update the virus definitions:
    All virus definitions receive full quality assurance testing by Symantec Security Response before being posted to our servers. There are two ways to obtain the most recent virus definitions:

    * Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
    * Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.

    Intelligent Updater virus definitions are available here . For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.


    To restart the computer in Safe mode:
    All Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document How to start the computer in Safe Mode.

    To scan for and delete the infected files:

    1. Start your Symantec antivirus program, and make sure that it is configured to scan all files.
    o Norton AntiVirus consumer products: Read the document How to configure Norton AntiVirus to scan all files.
    o Symantec enterprise antivirus products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
    2. Run a full system scan.
    3. If any files are detected as infected with W32.HLLW.Merkur@mm, click Delete.


    To remove the value from the registry:

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and then click OK. The Registry Editor opens.
    3. Navigate to the key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    4. In the right pane, delete the value

    AVupdate C:\Windows\System\AVupdate.exe

    5. Exit the Registry Editor.


    To restore C:\Windows\Taskman.exe and C:\Windows\Notepad.exe:
    If either or both of these files were deleted by the worm, you should restore them from a clean backup or reinstall them. Read the documentation for your backup program or for Windows to find out how to do this for your operating system.
    so heads up those of you using kazza and other p2p software and outlook
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  3. #3
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    The main reason for not using outlook! A hint for those who do, put a dummy adress in your adress book, like aaaaaaaaaa@aa.com Make it the first adress in the book so that you will recieve an error whenever mails are send to your whole adressbook. If you didn't ask to send the mail you will know that there's something going on.

  4. #4
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    The main reason for not using outlook! A hint for those who do, put a dummy adress in your adress book, like aaaaaaaaaa@aa.com Make it the first adress in the book so that you will recieve an error whenever mails are send to your whole adressbook. If you didn't ask to send the mail you will know that there's something going on.

  5. #5
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    The main reason for not using outlook! A hint for those who do, put a dummy adress in your adress book, like aaaaaaaaaa@aa.com Make it the first adress in the book so that you will recieve an error whenever mails are send to your whole adressbook. If you didn't ask to send the mail you will know that there's something going on.
    Some really good advice from VictorKaum
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    The main reason for not using outlook! A hint for those who do, put a dummy adress in your adress book, like aaaaaaaaaa@aa.com Make it the first adress in the book so that you will recieve an error whenever mails are send to your whole adressbook. If you didn't ask to send the mail you will know that there's something going on.
    Some really good advice from VictorKaum
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  7. #7
    It's a gas!
    Join Date
    Jul 2002
    Posts
    699
    Yeah thats a v. good idea VictorKaum.

    /me goes and adds email addy aaaaaaaaaa@aa.com to address book

    Cheers

    r3b00+

  8. #8
    It's a gas!
    Join Date
    Jul 2002
    Posts
    699
    Yeah thats a v. good idea VictorKaum.

    /me goes and adds email addy aaaaaaaaaa@aa.com to address book

    Cheers

    r3b00+

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    As a sysadmin I use another nice little trick to help detect the undetectable new virii etc. Since so many of these virii nowadays carry their own SMTP engine they do not try to use the SMTP server in house they will mail directly through open relays out in the world. I set my firewall to only allow outbound SMTP from my internal mailserver and to send an immediate message to my workstation if it detects outbound SMTP attempts. If your mailserver is at an ISP tell the firewall to only allow outbound SMTP to it's IP address and warn if attempts are made to any other. That way you know immediately you have an infected machine and which one it is.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    As a sysadmin I use another nice little trick to help detect the undetectable new virii etc. Since so many of these virii nowadays carry their own SMTP engine they do not try to use the SMTP server in house they will mail directly through open relays out in the world. I set my firewall to only allow outbound SMTP from my internal mailserver and to send an immediate message to my workstation if it detects outbound SMTP attempts. If your mailserver is at an ISP tell the firewall to only allow outbound SMTP to it's IP address and warn if attempts are made to any other. That way you know immediately you have an infected machine and which one it is.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •