Follow:

 

Virus:Win32/Meteit.B


Virus:Win32/Meteit.B is the detection for copies of legitimate Windows files that are infected by variants of Win32/Meteit. It connects to a remote server, from which it may receive certain commands to perform on the affected computer.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Virus:Win32/Meteit.B is the detection for copies of legitimate Windows files that are infected by variants of Win32/Meteit.

Installation

Virus:Win32/Meteit.B is the detection for copies of legitimate Windows files that are infected by variants of Win32/Meteit. For example, Trojan:Win32/Meteit.B selects a random Windows DLL file to copy and infect.

The infector copies the selected file to the following folder, then infects it:

%CommonProgramFiles%\Microsoft Shared\

The infector also modifies the following registry entry so that the infected file is run as the "Server" service component rather than the legitimate service file:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\
Modifies value: "ServiceDll"
From data: "%SystemRoot%\system32\srvsvc.dll"
To data: "%CommonProgramFiles%\Microsoft Shared\<infected file>"

Payload

Connects to a remote server

Virus:Win32/Meteit.B connects to a remote server every 16 seconds. The remote server sends commands for this virus to perform. Depending on the command, Virus:Win32/Meteit.B may perform any of the following actions:

  • Delete files
  • Download and execute files
  • Execute shell commands
  • Make the computer unusable by wiping boot records and NTFS master file tables and deleting System Restore information
  • Remove itself
  • Restart the computer
  • Update itself
  • Write configuration data

Analysis by Sergey Chernyshev


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications:

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\
    Modifies value: "ServiceDll"
    From data: "%SystemRoot%\system32\srvsvc.dll"
    To data: "%CommonProgramFiles%\Microsoft Shared\<infected file>"

  • The presence of the infected file name as above located in the following folder:
    %CommonProgramFiles%\Microsoft Shared\

Prevention


Alert level: Severe
First detected by definition: 1.117.233.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Dec 02, 2011
This entry was first published on: Dec 02, 2011
This entry was updated on: Dec 20, 2011

This threat is also detected as:
No known aliases