Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    Trend Micro received several reports of a spammed message containing a link that leads to the download of a malware detected as WORM_MEYLME.B. The spammed message bears the subject, “Here you have,” and informs users of a certain PDF document. When the users point to the URL, http://www.{BLOCKED}ocuments.com/library/PDF_Document21.025542010.pdf or http://www.{BLOCKED}ovies.com/library/SEX21.025542010.wmv, it indicates a different URL, http://{BLOCKED}s.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr, that consequently leads to the malware itself.

    Click for larger view

    When executed WORM_MEYLME.B terminates antivirus services and uses Messaging Application Protocol Interface (MAPI) to send out email messages with a link to a copy of itself. It also propagates via removable drives (e.g., USB drives). In addition, this malware forces affected systems to share several folders in the %Windows%System as {Computer Name}Updates. When executed, this malware connects to various malicious websites.

    Click for larger view Click for larger view

    Upon further investigation, we found that the malware used for this attack was just an unpacked version of a file that we already detected as WORM_AUTORUN.NAD. It is possible that the cybercriminals behind this attack got hold of the code for WORM_AUTORUN.NAD and modified it for their usage.

    We advise users to be wary of opening any unknown email and clicking any link. Trend Micro protects users from this attack via the Trend Micro™ Smart Protection Network™ that detects the malicious file and blocks all related malicious URLs.

    Analysis and screenshots provided by threat response engineer Jessa Dela Torre and threats analyst Edgardo Diaz, Jr.

    Update as of September 9, 2010 11:45 p.m. (UTC)

    According to threats analyst Edgardo Diaz, WORM_MEYLME.B creates several registries that disable security alerts and secure desktop prompting. Furthermore, it also downloads a backdoor detected by Trend Micro as BKDR_BIFROSE.SMU. Since the malware shares some System folders without the user’s knowledge, it will render the system vulnerable.

    Update as of September 10, 2010 1:26 a.m. (UTC)

    This attack also uses various spammed messages—one of which entices users with a free movie while another purports to be a job application letter. Both messages contain a link that when clicked leads to the download of the worm.

    The worm was also found trying to access users’ Yahoo! Messenger files. It is possible that WORM_MEYLME.B harvests Yahoo! Messenger IDs to send copies of itself.

    Click for larger view Click for larger view

    Update as of September 10, 2010 6:31 a.m. (UTC)

    Analysis reveals that WORM_MEYLME.B is capable of deleting security services but only after the services have been completely stopped from executing. It cannot, however, delete files associated with the services it attempts to delete.

    Update as of September 13, 2010 7:10 a.m. (UTC)

    WORM_MEYLME.B contains a Visual Basic script that performs its information theft routines. This script, which is embedded within the worm’s code, is now detected as VBS_MEYLME.B.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice