SysChat - How to Detect and Remove Email-Worm.Win32.Merond.a

One of the newest forms of malware doing the rounds is Email-Worm.Win32.Merond.a. This is an email worm that commonly comes as an attachment with infected emails. It also spreads itself through removable media (such as flash drives) and file-sharing networks. The actual worm is a Windows PE EXE file that varies in size between 150KB to 400KB.

Installation:

This worm places copies of its executable file in the Windows system directory:

%System%\javaupd.exe
%System%\javaqs.exe

It then automatically adds these files to the Windows firewall list of trusted applications. In addition, the worm ensures that it gets launched every time your system boots up by modifying your system registry with a link to the above executable files.

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kaspersky Email Security" = "%System%\javaupd.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run]
"Java update" = "%System%\javaqs.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java update" = "%System%\javaqs.exe"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1A2K5H58-65CP-B7PP-F600-
3023OJX71M20}]
"StubPath" = "%System%\javaqs.exe"

Worm propagation through email:

Addresses are harvested from the infected computer’s address book.

It attempts to send messages containing the following message:

IKEA has a Fantastic new FREE tool for home decorating.

Introducing our Home Planner software which you allows you to plan your home in a 3D environment.

Simply follow the instructions in the attachment and start planning your dream home today.

Worm propagation through Peer-to Peer Networks

The worm copies its executable file under one of the names listed below:

Absolute Video Converter 6.2.exe
Acker DVD Ripper 2009.exe
Ad-aware 2008.exe
Adobe Photoshop CS4 crack.exe
Adobe Acrobat Reader keygen.exe
Alcohol 120 v1.9.7.exe
All I Have, 50 Cent - 21 Question).exe
BitDefender AntiVirus 2009 Keygen.exe
CleanMyPC Registry Cleaner v6.02.exe
Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
Daemon Tools Pro 4.11.exe
Divx Pro 6.8.0.19 + keymaker.exe
Download Accelerator Plus v8.7.5.exe
Download Boost 2.0.exe
FOOTBALL MANAGER 2009.exe
G-Force Platinum v3.7.5.exe
Google Earth Pro 4.2. with Maps and crack.exe
Half life 3 preview 10 minutes gameplay video.exe
LimeWire Pro v4.18.3.exe
Internet Download Manager V5.exe
Jennifer Lopez Feat. Ll Cool J -
Joannas Horde Leveling Guide TBC Woltk.exe
K-Lite codec pack 4.0 gold.exe
Kaspersky Internet Security 2009 keygen.exe
Microsoft Visual Studio 2008 KeyGen.exe
Motorola, nokia, ericsson mobil phone tools.exe
Myspace theme collection.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe
Opera 10 cracked.exe
Password Cracker.exe
Perfect keylogger family edition with crack.exe
Power ISO v4.2 + keygen axxo.exe
Red Alert 3 keygen and trainer.exe
Silkroad Online guides and wallpapers.exe
Smart Draw 2008 keygen.exe
Super Utilities Pro 2009 11.0.exe
TCN ISO cable modem hacking tools.exe
TCN ISO SigmaX2 firmware.bin.exe
Tuneup Ultilities 2008.exe
Ultimate xxx password generator 2009.exe
Sophos antivirus updater bypass.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P,
VmWare keygen.exe
Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Windows XP PRO Corp SP3 valid-key generator.exe
WinRAR v3.x keygen RaZoR.exe
Wow WoLTk keygen generator-sfx.exe
xbox360 flashing tools and guide including bricked drive fix.exe
Youtube Music Downloader 1.0.exe

The worm places copies in the shared folders of these P2P clients:

DC++
emule
grokster
limewire
morpheus
tesla
winmx

Worm propagation through removable media

Upon insertion of removable media, the worm does two things. It copies the following executable file to all connected media:

<X>:\redmond.exe,
where X is the name of the removable disk

It then puts the following file in the disk’s root:

<X>:\autorun.inf

This latter file will cause the executable file to launch every time the disk is opened with Windows Explorer.

Email-Worm Manual Removal

If your computer’s anti-virus software hasn’t been updated, or if it has no anti-virus program at all, here are the steps for eliminating the malware on your own:

1. Open the Task Manager [Ctrl+Alt+Del] and click the Processes tab. Select the javaupd.exe or javaqs.exe program and click “End Process” to stop the malware from running.

2. Delete the original worm file. Its location depends on how the program originally infected your machine. Check the previous sections for advice on detecting it.

3. Delete the following system registry parameters:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kaspersky Email Security" = "%System%\javaupd.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run]
"Java update" = "%System%\javaqs.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java update" = "%System%\javaqs.exe"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1A2K5H58-65CP-B7PP-F600-
3023OJX71M20}]
"StubPath" = "%System%\javaqs.exe"

4. Delete these files from your system directory:

%System%\javaupd.exe
%System%\javaqs.exe

5. Delete these files from any removable storage media that was connected to your machine.

<X>:\autorun.inf
<X>:\redmond.exe

X is the name of the removable disk. If you can do so, reformat your removable media.

6. Purchase or download an anti-virus program, update it, and do a full scan of your computer.