Win32/Mevon is a worm that spreads via mapped drives using the Autorun feature and via peer to peer file sharing networks.
Installation
When executed Win32/Mevon.A copies itself to the following locations:
%windir%\svchost.exe
c:\recycler\ntdetect.exe
<system folder>\taskmgr.exe
<system folder>\drivers\etc\proceso inactivo del sistema.com
c:\documents and settings\administrator\application data\services.exe
c:\documents and settings\administrator\application data\winlogon.exe
Note: Win32/Mevon.A sets the System, Hidden and Read Only attributes on files with .exe extensions in the list above.
Win32/Mevon.A also creates the following registry entries to ensure that it is executed at each Windows start:
Sets value "CTFMON.EXE"
With data: "%windir%\svchost.exe"
To subkey: HKLM\Software\Microsoft\windows\CurrentVersion\Run
Sets value: "Shell"
With data: "explorer.exe c:\recycler\ntdetect.exe"
To subkey: HKLM\SOFTWARE\Microsoft\windows NT\CurrentVersion\winlogon
Win32/Mevon.A makes the following further modifications to the registry to ensure its survival on an infected machine:
Sets value: "DisableRegistryTools"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\System
Sets value: "NoFolderOptions"
With data: "1"
To subkey:
HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer
Sets value: "NoFind"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer
Sets value: "DisableTaskMgr"
With data: "1"
To subkey: HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "1"
To subkey: HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\System
Sets value: "NoFolderOptions"
With data: "1"
To subkey: HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer
Sets value: "NoFind"
With data: "1"
To subkey: HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer
Sets value: "Hidden"
With data: "2"
To subkey: HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
To subkey: HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "1"
To subkey: HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Explorer\Advanced
Sets value: "NoRecycleFiles"
With data: "1"
To subkey: HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer
Spreads Via…
Peer to Peer File Sharing Networks
Win32/Mevon.A can spread via peer to peer networks by attempting to copy itself to the shared folders of several peer to peer file sharing applications, should they exist on the affected machine. It looks for the following file paths:
%Program Files%\eMule\
%Program Files%\Kazaa\
%Program Files%\Kazaa Lite\
%Program Files%\Grokster\
%Program Files%\Morpheus\
%Program Files%\EDONKE~1\
%Program Files%\Gnucleus\
%Program Files%\BearShare\
%Program Files%\KMD\
%Program Files%\XoloX\
%Program Files%\Ares\
%Program Files%\Shareaza\
%Program Files%\applej~1\
%Program Files%\ICQ\Shared~1\
%Program Files%\LimeWire\Shared\
%Program Files%\Filetopia3\
%Program Files%\appleJuice\
%Program Files%\Overnet\
%Program Files%\Swaptor\
%Program Files%\WinMX\
%Program Files%\Tesla\
%Program Files%\Rapigator\
%Program Files%\Direct Connect\
%Program Files%\Warez P2P Client\
Via Mapped Drives
Win32/Mevon.A attempts to spread to the following drives if they are present on the affected machine:
C:, D:, E:, F:, G:, H:, I:, J:, K:, L:, M:
It copies itself to '<drive>\system volume information\lucifer.exe' and creates a corresponding
'<drive>\autorun.inf' to execute its copy. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
Payload
Terminates Processes
Win32/Mevon checks if the names of running processes contain the following strings, and terminates them if it finds a match:
AcctMgr
Active
Alogserv
amon
AnVir
avpmon
av
atrack
aut
atupdate
aupdate
bawindo
blackd
ccapps
ccpxysvc
ccvpupd
cfiaudit
drwebupw
escan
fire
fspex
guard
icsup
luall
mcupdate
mcvs
msdev
nisum
nupgrade
ollydbg
outpost
pav
peid
petools
poproxy
RegSeeker
rulaunch
Synaptics
systray
TJEnder
Update
vet95
vshwin
w32dasm
winhex
wscript
xpshare
Deletes Files
Win32/Mevon.A looks under the %Program Files% directory for folders with the following names and attempts to delete them if found:
adware
adware~1
aio
aioano~1
aiotop~1
ashampoo
Avg
AVGant~1
avgant~2
bitdef~1
blackice
clamwi~1
counterspy
dr.web
etrust
etrust~1
evonsoft
evonso~1
Ewidoa~1
f-port~1
f-secure
f-secu~1
hideip~1
hideip~2
kasper~1
kerio
keriow~1
keriow~2
keriop~1
Mcafee~1
Microt~1
noadware
NOD32a~1
norton
norton~1
outpost
Panda
pandaa~1
pandat~1
portab~1
spyemergency
spyremover
spystopper
spywar~1
spywar~2
steganos
sygate
sygate~1
symantec
systemworks
thespy~1
titani~1
trendm~1
trendm~2
trojankiller
virusd~1
Viruss~1
virussafe
virusscan
webroot
webroo~1
winpatrol
xoftspy
zonealarm
Win32/Mevon.A also checks for the following folders and deletes them if they exist:
%programfiles%\ewido anti-malware
%programfiles%\Norton AntiVirus
%programfiles%\Norton Utilities
%programfiles%\Webroot
%programfiles%\Norton SystemWorks\Norton AntiVirus
%programfiles%\SinEspias
%programfiles%\SpyAxe
%programfiles%\SpywareStrike
%programfiles%\Microsoft AntiSpyware
%programfiles%\KASPERSKY LAB
%programfiles%\mcafee.com
%programfiles%\McAfee
%programfiles%\Synaptics
%programfiles%\Network Associates
%programfiles%\Eset
%programfiles%\ESET\ESET NOD32 Antivirus
%programfiles%\GRISOFT\AVG6
%programfiles%\AVPersonal
%programfiles%\ALWIL SOFTWARE
%programfiles%\Grisoft
%programfiles%\Panda Software\Panda Antivirus Titanium
%programfiles%\Panda Software\Panda Administrator 3
%programfiles%\Softwin\BitDefender9
%CommonProgramFiles%\Softwin
%programfiles%\Symantec_Client_Security\Symantec AntiVirus
%programfiles%\AVG7
%programfiles%\AVG Free
%programfiles%\CCleaner
%programfiles%\Lavasoft\Ad-Aware SE Professional
%programfiles%\RegCleaner
%programfiles%\TuneUp Utilities 2006
Additional Information
Win32/Mevon may alter the hosts file. The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).
Analysis by Ray Roberts
