is the detection for copies of legitimate Windows files that are infected by variants of Win32/Meteit.
is the detection for copies of legitimate Windows files that are infected by variants of Win32/Meteit. For example, Trojan:Win32/Meteit.B selects a random Windows DLL file to copy and infect.
The infector copies the selected file to the following folder, then infects it:
The infector also modifies the following registry entry so that the infected file is run as the "Server" service component rather than the legitimate service file:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\
Modifies value: "ServiceDll"
From data: "%SystemRoot%\system32\srvsvc.dll"
To data: "%CommonProgramFiles%\Microsoft Shared\<infected file>"
Connects to a remote server
connects to a remote server every 16 seconds. The remote server sends commands for this virus to perform. Depending on the command, Virus:Win32/Meteit.B may perform any of the following actions:
- Delete files
- Download and execute files
- Execute shell commands
- Make the computer unusable by wiping boot records and NTFS master file tables and deleting System Restore information
- Remove itself
- Restart the computer
- Update itself
- Write configuration data
Analysis by Sergey Chernyshev
The following system changes may indicate the presence of this malware: