© 2009 System-Protector.com All Rights Reserved.
Bit Defender | Kaspersky | ESET NOD32 | AVG Antivirus | F-Secure Antivirus | Trend Micro | McAfee VirusScan | Norton antivirus | CA Antivirus | Norman Antivirus | G DATA Antivirus | Panda Antivirus | AVAST Antivirus | F-Prot antivirus | PC Tools Antivirus | Webroot Antivirus | ViRobot
Latest in trend:
» viruses
Email.Worm.Win32.Merond.a
What is Email.Worm.Win32.Merond.a?
What is Email-Worm.Win32. Merond.a?
Email-Worm.Win32.Merond.a is an email worm which spreads via infected email messages. The worm will be activated when the user clicks on the attachment.Email-Worm.Win32.Merond.a spreads as an attachment to infected emails and also via file-sharing networks and removable media. The worm itself is a Windows PE EXE file. The worm’s executable file can vary between 150KB to 400KB in size.
How does it affect your PC?
The worm copies its executable file to the Windows system directory and on top of that in order to ensure that the worm is launched automatically each time the system is booted, it adds a link to its executable file to the system registry.
The worm also adds its executable file to the Windows firewall list of trusted applications.
The worm harvests email addresses from files with the extensions: txt, htm, shtl, php, asp etc as well as also harvest addresses from the victim machine’s address book.
In order to send messages the worm attempts to establish a direct connection to SMTP servers but at the same time messages are not sent to addresses which contain any of the strings like admin, Microsoft, support etc.
The worm copies its executable file under one of the names like K-Lite codec pack 4.0 gold.exe, YouTube Music Downloader 1.0.exe, Windows 2008 Enterprise Server, VMWare Virtual Machine.exe, Password Cracker.exe etc, to the shared folders of the following P2P clients like grokster, emule, Morpheus, limewire among others.
The worm copies its executable file to all removable media and In addition to its executable file, the worm also places the file shown below in the root of the disk.
This file will launch the worm's executable file each time Explorer is used to open the infected disk.
How to remove Email Worm?
- 1. Use Task Manager to terminate the malicious program’s process.
- 2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
- 3. Delete the following system registry parameters:
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Kaspersky Email Security" = "%System%\javaupd.exe"
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "Java update" = "%System%\javaqs.exe"
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
- "Java update" = "%System%\javaqs.exe"
- [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1A2K5H58-65CP-B7PP-F600-
- 3023OJX71M20}]
- "StubPath" = "%System%\javaqs.exe"
- 4. Delete the following files:
- %System%\javaupd.exe
- %System%\javaqs.exe
- 5. Delete the files shown below from all removable storage media:
- <X>:\autorun.inf
- <X>:\redmond.exe
- 6. Update your antivirus databases and perform a full scan of the computer
X is the name of the removable disk