You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

Mseus.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Mseus.A carries out the following actions:

  • When it is run, a folder called IQTEST is displayed. This folder contains an executable file called IQTEST.EXE, which is actually an intelligence text and a text file which contains several the following message:
    Iqtest is configured to start of IQ test, run IQTEST.EXE in this folder

    The following image belongs to the folder of the test:

    Files displayed when Mseus.A is run
  • In fact, if users run the file, they will really do the intelligence test (which will be in Czech). Firstly, a screen will be displayed with several instructions and explanations about the test in Czech:

    Screen displayed whe the Iqtest.exe file is run
  • It causes important damages in the computer, as it overwrites the first 50kbs of the MBR (Master Boot Record) with zeros. This way, the computer cannot even be started.
  • However, this does not occur immediately after the malware is run, as it remains latent during 7 or 10 days and it's then when the MBR is partially overwritten, leaving the computer useless.

 

Infection strategy 

Mseus.A creates the following files in the Windows system directory:

  • MSEUS.EXE, which is a copy of the virus.
  • TOKSET.DLL
  • MSEU.SYS and MSTART.SYS, in the subfolder drivers. These two files are those which overwrite part of the MBR (Master Boot Record).

Additionally, it creates a file called AINF.INF in the removable drives and in the shared folders. This way, the copy of the malware is automatically run when any of them is accessed.

 

Mseus.A creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Dump = %sysdir%\mseus.exe
    where %sysdir% is the Windows system directory.
    By creating this entry, Mseus.A ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mseu
    %sysdir%\drivers\Mseu.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART
    %sysdir%\drivers\Mstart.sys
    By creating these entries, the drivers MSEU.SYS and MSTART.SYS are registered as services and can be run whenever Windows is started.

Means of transmission 

Mseus.A uses the following means to spread:

1.- Social engineering techniques

It can reach the computer passing itself off as an intelligence test that can be downloaded from certain websites or can be distributed in email messages.

It can also reach the computer as a self-extractor file compressed with password (the password is given to the user previously), like the image below:

How Mseus.A reaches the computer

 

2.- Removable drives and shared folders

It spreads through removable drives and shared folders making copies of itself in them. Additionally, it creates a file called AINF.INF in these drives, so that the copy of the malware is automatically run when they are accessed.

Further Details  

Mseus.A is 228,352 bytes in size.

Curiously, at first this malware was created to target a Slovakian motorcycle club.

 

Research carried out by Jose Julio Ruiz de Loizaga.