Home / malwarePDF  


First posted on 29 November 2017.
Source: Microsoft

Aliases :

There are no other names known for Virus:Win32/Mewsei.B.

Explanation :


This threat spreads by infecting files on network and removable drives.

It does this by traversing all the drives on the infected system from A:\ to Z:\. Once an accessible location is found the virus searches for .exe files and starts the infection.

The virus makes a copy of itself in the target drive and appends its payload and an encrypted host file in a new portable executable (PE) overlay. It updates the icon and version information of the new file and renames it.


Steals your sensitive information

This threat can steal your personal information such as:

  • A list of your PCs running processes and opened windows
  • Captured webcam images
  • Information about your PC, such as its CPU, memory, video card, current time, and keyboard language
  • Saved passwords from your web browsers, including Putty, Firefox, Filezilla, Chorme, and Opera

It can also record which keys you press and upload this information to a remote server.

This threat accesses icanhazip.com to get the current IP address of the infected machine.

It can also download and upload executable files to a remote server. We have seen this threat contact the following command and control servers:
  • z3mm6cupmtw5b2xx.onion
  • cxkefbwo7qcmlelb.onion
  • .localtunnel.me/si.php?data
  • .ddns.net/si.php?data
  • .com/si.php?data
The is generated using an algorithm. The following are examples of the domains that are generated:
  • riifadasovafk.localtunnel.me/si.php?data
  • ibulboevaqduik.localtunnel.me/si.php?data
  • moiwirixuxfuh.ddns.net/si.php?data
  • laofcuedcip.ddns.net/si.php?data
  • arawerhaibod.com/si.php?data
  • xipuporebauwlas.com/si.php?data
Blocks security software

This threat can block the following programs:
  • agnitum
  • antivir
  • arcavir
  • avast
  • avg
  • avira
  • avp
  • avz
  • bitdefender
  • clamav
  • comodo
  • cureit
  • drweb
  • egui
  • ekrn
  • eset
  • firewall
  • f-prot
  • fsecure
  • f-secure
  • gdata
  • g-data
  • idaq.exe
  • idau64.exe
  • ikarus
  • iobit
  • kasper
  • kav
  • mcafee
  • msascui
  • nod32
  • norton
  • ollydbg
  • outpost
  • panda
  • quickheal
  • sophos
  • symantec
  • trendmicro
  • virusbuster

Additional information

The following SHA was used in this analysis: 3710c36db179fcd12d9ddbc1c12a65a6217c6d5fda69feeb627eb8f373d46073

Analysis by Mihai Calota and Allan Sepillo

Last update 29 November 2017