 |
| |
| | Effects | | |
Meve has the following effects: - It deletes several lines from the SYSTEM.INI file, preventing certain applications (programs, drivers, etc.) from working correctly.
- It goes memory resident and opens ports. By doing this, a hacker could gain remote access to the computer.
- It opens the Internet browser and displays images of Evo Morales.
- It connects to the following news websites at random:
http://jeremybigwood.net
http://news.bbc.co.uk
http://www.commondreams.org/headlines/images/100700-01.jpg
http://www-ni.laprensa.com.ni
http://www.soc.uu.se
http://www.cannabisculture.com
http://www.chilevive.cl
http://membres.lycos.fr
http://news.bbc.co.uk
http://www.movimientos.org
| [ top ]
| | | Means of infection | | |
Meve creates the following copies of itself: ALL USERS.EXE, COMMAND.EXE, HOT GIRL.SCR, HOTMAILPASS.EXE, INF.EXE, INTERNET DOWNLOAD.EXE, INTERNET FILE.EXE, PART HARD, DISK.EXE, SHELL.EXE, SYSTEM.EXE, SYSTEM32.EXE, SYSTEM64.PIF and TEMP.EXE in the Windows directory, which are 188,928 bytes in size. INF.EXE, NET.COM and WWW.MICROSOFT.COM, which are 188,928 bytes in size, in the System directory:
Meve modifies the following files to ensure that it is run when Windows starts: Meve creates the following entries in the Windows Registry: HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\
Run "System"=%WinDir%\ system.exe HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\
Run\1\2\3\4 "System"=%WinDir%\ system.exe HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\
RunSevices "System"=%WinDir%\system.exe HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\
RunSevicesOnce "System"=%WinDir%\temp.exe HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\
Run "System"=%WinDir%\system.exe HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\
Run\1\2\3\4 "System"=%WinDir%\temp.exe HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\
RunSevices "System"=%WinDir%\commands.com By creating these entries, Meve ensures that it is run whenever Windows is started.
Meve also modifies the following entries in the Windows Registry: HKEY_CLASSES_ROOT\ batfile\ shell\ open\ command
"(Default)" = "%WinDir%\temp.exe", "%1" %* HKEY_CLASSES_ROOT\ comfile\ shell\ open\ command
"(Default)" = "%WinDir\Inf.exe", "%1" %* HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command
"(Default)" = "%WinDir%\command.exe", "%1" %* HKEY_CLASSES_ROOT\ htafile\ Shell\ Open\ Command
"(Default)" = "%WinDir%"\commands.com", "%1" %* HKEY_CLASSES_ROOT\ piffile\ shell\ open\ command
"(Default)" = "%WinDir%\ commands.com", "%1" %* Meve modifies these entries to ensure that it is run before a file with a PIF, HTA, EXE, COM or BAT extension.
| [ top ]
| | | Means of transmission | | |
Meve spreads via e-mail in a message with the following characteristics: Subject:
El adelanto de matrix ta gueno‼ Message:
Pablo_Hack
Oye te U paso el programa para entrar a cuentas del messenger, y facilingo te lo paso a voz nomas, prometeme que no se lo pasas a nadie, ya?Respondeme que tal te parecio. chau‼ Attachments:
HOTMAILPASS.EXE
When it is run, it sends itself out to all the contacts in MSN Messenger. | [
top ]
| | | Other details | | |
The file that carries out the infection is 188,928 bytes in size. | [
top ]
|
|
|
 Last updated:
Dec. 26, 2003
|
|
