Win32/Neurevt [Threat Name] go to Threat

Win32/Neurevt.A [Threat Variant Name]

Category trojan
Size 257036 B
Detection created Feb 12, 2013
Detection database version 8525
Aliases Win32:Rootkit-gen (Avast)
Short description

The trojan serves as a backdoor. It can be controlled remotely. It uses techniques common for rootkits.

Installation

When executed, the trojan copies itself into the following location:

  • %programfiles%\­Common Files\­Windows File Updater.{2227A280-3AEA-1069-A2DE-08002B30309D}\­%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows File Updater" = "%programfiles%\­Common Files\­Windows File Updater.{2227A280-3AEA-1069-A2DE-08002B30309D}\­%variable1%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "Windows File Updater" = "%programfiles%\­Common Files\­Windows File Updater.{2227A280-3AEA-1069-A2DE-08002B30309D}\­%variable1%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows File Updater" = "%programfiles%\­Common Files\­Windows File Updater.{2227A280-3AEA-1069-A2DE-08002B30309D}\­%variable1%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­TaskManager]
    • "Task Service ID" = "%variable2%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­%variable1%.exe\­DisableExceptionChainValidation]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Wow6432Node\­JavaSoft\­Java Update\­Policy]
    • "EnableJavaUpdate" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­rstrui.exe]
    • "Debugger" = "%variable3%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­hijackthis.exe]
    • "Debugger" = "%variable3%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­spybotsd.exe]
    • "Debugger" = "%variable3%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­housecalllauncher.exe]
    • "Debugger" = "%variable3%_.exe"

A string with variable content is used instead of %variable1-3% .


The trojan executes the following files:

  • %malwarefilepath%
  • %system%\­svchost.exe -k NetworkService
  • %system%\­WerFault.exe
  • %system%\­wuauclt.exe

The trojan creates and runs a new thread with its own code within these running processes.


The trojan creates and runs a new thread with its own program code in all running processes except the following:

  • csrss.exe
  • lsass.exe
  • services.exe
  • smss.exe
  • spoolsv.exe
  • winlogon.exe

The trojan hooks the following Windows APIs:

  • DnsQuery_W (Dnsapi.dll)
  • getaddrinfo (ws2_32.dll)
  • GetAddrInfoW (ws2_32.dll)
  • HttpSendRequestW (Wininet.dll)
  • PR_Write (nspr4.dll)
  • SHGetFolderPathW (Shell32.dll)
  • KiFastSystemCall (ntdll.dll)
  • ZwCreateFile (ntdll.dll)
  • ZwOpenFile (ntdll.dll)
  • ZwDeleteFile (ntdll.dll)
  • ZwSetInformationFile (ntdll.dll)
  • ZwQueryDirectoryFile (ntdll.dll)
  • ZwOpenDirectoryObject (ntdll.dll)
  • ZwEnumerateValueKey (ntdll.dll)
  • ZwCreateKey (ntdll.dll)
  • ZwSetValueKey (ntdll.dll)
  • ZwDeleteValueKey (ntdll.dll)
  • ZwOpenProcess (ntdll.dll)
  • ZwTerminateProcess (ntdll.dll)
  • ZwSuspendProcess (ntdll.dll)
  • ZwQuerySystemInformation (ntdll.dll)
  • ZwQueryInformationThread (ntdll.dll)
  • ZwCreateThread (ntdll.dll)
  • ZwResumeThread (ntdll.dll)
  • ZwSuspendThread (ntdll.dll)
  • ZwSetContextThread (ntdll.dll)
  • ZwTerminateThread (ntdll.dll)
  • ZwProtectVirtualMemory (ntdll.dll)
  • ZwAllocateVirtualMemory (ntdll.dll)
  • LdrLoadDll (ntdll.dll)
  • ZwDeviceIoControlFile (ntdll.dll)
  • ZwQueueApcThread (ntdll.dll)
Spreading on removable media

The trojan may create copies of itself on removable drives.


The trojan copies itself into the root folders of removable drives using the following name:

  • %variable1%p.pif

The following files are dropped in the same folder:

  • %variable2%.lnk

The file is a shortcut to a malicious file.


A string with variable content is used instead of %variable1-2% .


The name of the file may be based on the name of an existing file or folder.

Information stealing

Win32/Neurevt.A is a trojan that steals passwords and other sensitive information.


The trojan collects the following information:

  • computer name
  • operating system version
  • user name
  • information about the operating system and system settings
  • CPU information
  • FTP account information
  • antivirus software detected on the affected machine
  • the list of installed software
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • contact name(s)

The following programs are affected:

  • CoreFTP
  • FileZilla
  • FlashFXP
  • FTP Commander
  • PuTTY
  • Skype
  • SmartFTP
  • WinSCP

The trojan attempts to send gathered information to a remote machine. The HTTP protocol is used.

Other information

The trojan serves as a backdoor. It can be controlled remotely.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (7) URLs. The HTTP protocol is used.


It can execute the following operations:

  • spread via removable drives
  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address
  • execute shell commands
  • uninstall itself
  • perform DoS/DDoS attacks
  • set up a proxy server
  • block access to specific websites
  • monitor network traffic

The trojan checks for Internet connectivity by trying to connect to the following servers:

  • google.com
  • microsoft.com
  • update.microsoft.com
  • windowsupdate.microsoft.com

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Classes\­CLSID\­{%guid%}\­161503E3\­CL2]
    • "%applicationid%" = %collecteddata%

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­a2start.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­a2service.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­a2guard.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgnt.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avguard.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avshadow.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avcenter.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgmfapx.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgupd.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgcfgex.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgdiagex.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­update_tmp.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­arcaclean.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avastui.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­msseces.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MsMpEng.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MSASCui.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­uiSeAgnt.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­uWinMgr.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­coreServiceShell.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcagent.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­McUICnt.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcupdmgr.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcshield.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ALUpdate.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­WRSA.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­zatray.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­fshoster32.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­PSUNMain.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­BullGuardUpdate.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­updater.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavMonD.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RsMgrSvc.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Update.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccupdate.exe
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­pavjobs.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­AVENGINE.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Upgrader.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­adaware.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­sbamui.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­SBAMTray.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­FProtTray.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­FPWin.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­op_mon.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­niu.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­K7TSUpdT.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­guardxup.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­DragonUpdater]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­cfp.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­CLPSLA.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mbamgui.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mbam.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­GDFirewallTray.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­AVKTray.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­GDSC.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­AVK.exe]
    • "Debugger" = "%variable%_.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "TaskbarNoNotification" = 1
    • "HideSCAHealth" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­WindowsBackup]
    • "DisableMonitoring" = 1

The modified Registry entries will prevent specific files from being executed.


A string with variable content is used instead of %variable% .


The following services are disabled:

  • BITS
  • MpsSvc
  • SharedAccess
  • wscsvc
  • wuauserv

The trojan hides its presence in the system.


It uses techniques common for rootkits.

Please enable Javascript to ensure correct displaying of this content and refresh this page.