Home / malwarePDF  


First posted on 29 November 2017.
Source: Microsoft

Aliases :

There are no other names known for Virus:Win32/Mewsei.A.

Explanation :


This threat spreads by infecting files on network and removable drives.

It does this by traversing all the drives on the infected system from A:\ to Z:\. Once an accessible location is found the virus searches for .exe files and starts the infection.

The virus makes a copy of itself in the target drive and appends its payload and an encrypted host file in a new portable executable (PE) overlay. It updates the icon and version information of the new file and renames it.


Steals your sensitive information

This threat can steal your personal information such as:

  • A list of your PCs running processes and opened windows
  • Captured webcam images
  • Information about your PC, such as its CPU, memory, video card, current time, and keyboard language
  • Saved passwords from your web browsers, including Putty, Firefox, Filezilla, Chorme, and Opera

It can also record which keys you press and upload this information to a remote server.

It can also download and upload executable files to a remote server. We have seen this threat contact the following command and control servers:
  • z3mm6cupmtw5b2xx.onion
Blocks security software

This threat can block the following programs:
  • agnitum
  • antivir
  • arcavir
  • avast
  • avg
  • avira
  • avp
  • avz
  • bitdefender
  • clamav
  • comodo
  • cureit
  • drweb
  • egui
  • ekrn
  • eset
  • firewall
  • f-prot
  • fsecure
  • f-secure
  • gdata
  • g-data
  • idaq.exe
  • idau64.exe
  • ikarus
  • iobit
  • kasper
  • kav
  • mcafee
  • msascui
  • nod32
  • norton
  • ollydbg
  • outpost
  • panda
  • quickheal
  • sophos
  • symantec
  • trendmicro
  • virusbuster

Analysis by Mihai Calota

Last update 29 November 2017