Win32/Neeris [Threat Name] go to Threat

Win32/Neeris.B [Threat Variant Name]

Category worm
Size 36864 B
Detection created Sep 09, 2013
Detection database version 10016
Aliases Trojan.Win32.Agent.ibfx (Kaspersky)
  Worm:Win32/Neeris.gen!C (Microsoft)
  W32/Autorun.worm.c.virus (McAfee)
Short description

The worm serves as a backdoor. It is able to spread via IM networks.

Installation

When executed, the worm copies itself into the following location:

  • %appdata%\­Adobe\­adbreader.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Adobe Driver Update" = "%appdata%\­Adobe\­adbreader.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Adobe Driver Update" = "%appdata%\­Adobe\­adbreader.exe"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%appdata%\­Adobe\­adbreader.exe" = "%appdata%\­Adobe\­adbreader.exe:*:Enabled:Adobe Driver Update"

The performed data entry creates an exception in the Windows Firewall program.

Spreading via IM networks

It is able to spread via IM networks.


The following programs are affected:

  • AOL Instant Messenger
  • MSN Messenger
  • Triton
  • Windows Live Messenger

The message depends entirely on data the worm downloads from the Internet.


The messages may contain any of the following texts:

  • haha esta e a sua foto? http://%removed%_jpg
  • haha so geile bilder von dir echt ej http://%removed%_jpg
  • het voor yah, doend beeldverhaal van mijn leven lol.. http://%removed%_jpg
  • looool tu dois voire mon photo album http://%removed%_jpg
  • haha msn photos!! http://%removed%_jpg

The message contains a URL link to a website containing malware.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm connects to the following addresses:

  • lolcantpwnme.net

The IRC protocol is used in the communication.


It can execute the following operations:

  • spread via IM networks
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself

Please enable Javascript to ensure correct displaying of this content and refresh this page.