Home / malware W32.Meteit!inf
First posted on 21 February 2014.
Source: SymantecAliases :
There are no other names known for W32.Meteit!inf.
Explanation :
When the threat executes, it may create the following file:
%Temp%\tmp[RANDOM NUMBERS].tmp
The worm may then create the following registry subkeys: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLastError\CurVer\[RANDOM NUMBERS]\"[RANDOM NUMBERS]" HKEY_CURRENT_USER\Software\Intel\[RANDOM CHARACTERS]\"[RANDOM CHARACTERS]"
The threat may then infect DLLs with malicious code that opens a back door on the compromised computer. The infected DLLs may be found in the following locations: %UserProfile%\Application Data\Roaming\Microsoft\[RANDOM FILE NAME]%CommonProgramFiles%\Services\[RANDOM FILE NAME]%UserProfile%\Application Data\Roaming\[RANDOM FOLDER NAME\[RANDOM FILE NAME]%CommonProgramFiles%\microsoft shared\[RANDOM FOLDER NAME]\[RANDOM FILE NAME]%UserProfile%\Application Data\Roaming\Microsoft\[RANDOM FILE NAME]%UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME]
Next, the threat may connect to the following remote locations: malev1ch.com/rtl/sign.phplev1tan.com/rtl/sign.phpmalev1ch.com/rtl/cef.phplev1tan.com/rtl/cef.php
The threat may then perform the following options: Download and run executablesDamage the file system to render the hard disk inoperableReboot the computerDelete itselfLast update 21 February 2014
