Home / malware Virus:Win32/Mewsei.A
First posted on 09 January 2015.
Source: MicrosoftAliases :
There are no other names known for Virus:Win32/Mewsei.A.
Explanation :
Threat behavior
Installation
This threat spreads by infecting files on network and removable drives.
It does this by traversing all the drives on the infected system from A:\ to Z:\. Once an accessible location is found the virus searches for .exe files and starts the infection.
The virus makes a copy of itself in the target drive and appends its payload and an encrypted host file in a new portable executable (PE) overlay. It updates the icon and version information of the new file and renames it.
Payload
Steals your sensitive information
This threat can steal your personal information such as:
- A list of your PCs running processes and opened windows
- Captured webcam images
- Information about your PC, such as its CPU, memory, video card, current time, and keyboard language
- Saved passwords from your web browsers, including Putty, Firefox, Filezilla, Chorme, and Opera
It can also record which keys you press and upload this information to a remote server.
It can also download an upload executable files to a remote server. We have seen this threat contact the following command and control servers:
- 176.31.246.49:14141
- 213.186.113.10:62495
- 46.32.233.54:53535
- z3mm6cupmtw5b2xx.onion
Blocks security software
This threat can block the following programs:
- agnitum
- antivir
- arcavir
- avast
- avg
- avira
- avp
- avz
- bitdefender
- clamav
- comodo
- cureit
- drweb
- egui
- ekrn
- eset
- firewall
- f-prot
- fsecure
- f-secure
- gdata
- g-data
- idaq.exe
- idau64.exe
- ikarus
- iobit
- kasper
- kav
- mcafee
- msascui
- nod32
- norton
- ollydbg
- outpost
- panda
- quickheal
- sophos
- symantec
- trendmicro
- virusbuster
Analysis by Mihai Calota
Symptoms
Alerts from your security software might be the only symptom.
Last update 09 January 2015
