Home / malware W32.Mewsei
First posted on 16 April 2015.
Source: SymantecAliases :
There are no other names known for W32.Mewsei.
Explanation :
The virus infects .exe files on removable and remote drives. Infected files are detected as W32.Mewsei!inf.
Once executed, the virus creates the following files:
%UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].sys%UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].dat%UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].ocx
The virus copies itself to the following location:
%UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].exe
It may then create multiple randomly named folders under the following path:
%UserProfile%\Application Data
Next, the virus creates the following registry entries:
HKEY_CURRENT_USER\Software\Classes\[RANDOM CHARACTERS]\shell\open\command\[DEFAULT] = "%UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].exe"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\"[RANDOM CHARACTERS]" = "%UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].exe"
The virus creates the following registry subkey:
HKEY_CURRENT_USER\Software\Classes\[RANDOM CHARACTERS]
The virus may modify the following registry entry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"
The virus may perform the following actions on the compromised computer:
Collect system information such as operating system version, CPU and RAM information, and local time informationList running processes and driversCapture webcam imagesCapture screenshotsRestart the computerEnable remote desktop
The virus then sends the stolen information to one or more of the following remote locations:
78.46.36.35:33533178.62.233.140:5000072.167.201.238:1108046.32.233.54:5353562.75.179.223:11111z3mm6cupmtw5b2xx.onionLast update 16 April 2015
