Win32/Neurevt [Threat Name] go to Threat

Win32/Neurevt.B [Threat Variant Name]

Category trojan
Size 235656 B
Detection created Oct 08, 2013
Detection database version 9037
Aliases Win32/Neurevt.A (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely. It uses techniques common for rootkits.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %programfiles%\­Common Files\­Identity0\­%variable1%.exe
  • %commonappdata%\­Identity0\­%variable1%.exe
  • %appdata%\­Identity0\­%variable1%.exe

The location may vary depending on the current settings stored in the malware executable.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­­Software\­­Microsoft\­­Windows\­­CurrentVersion\­­Run]
    • "nvsystray" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­­Software\­­Microsoft\­­Windows\­­CurrentVersion\­­Run]
    • "nvsystray" = "%malwarefilepath%"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­%variable1%.exe\­DisableExceptionChainValidation]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­rstrui.exe]
    • "Debugger" = "%variable2%_.exe"

A string with variable content is used instead of %variable1-2% .


The trojan launches the following processes:

  • %windir%\­explorer.exe
  • %system%\­svchost.exe -k NetworkService
  • %system%\­wuauclt.exe
  • %system%\­WerFault.exe

The trojan creates and runs a new thread with its own code within these running processes.


The trojan creates and runs a new thread with its own program code in all running processes except the following:

  • winlogon.exe
  • csrss.exe
  • services.exe
  • lsass.exe
  • spoolsv.exe
  • smss.exe
  • skype.exe

After the installation is complete, the trojan deletes the original executable file.

Spreading on removable media

The trojan may create copies of itself on removable drives.


The trojan copies itself into the root folders of removable drives using the following name:

  • %variable%p.exe

A string with variable content is used instead of %variable% .


The following file is dropped in the same folder:

  • ntusbdriver.sys

The trojan searches for files and folders in the root folders of removable drives.


When the trojan finds a file matching the search criteria, it creates a new file.


The name of the new file is based on the name of the file found in the search. The extension of the file is ".lnk" .


The file is a shortcut to a malicious file.

Information stealing

Win32/Neurevt.B is a trojan that steals passwords and other sensitive information.


The trojan collects information related to the following applications:

  • FileZilla
  • SmartFTP
  • CoreFTP
  • FlashFXP
  • WinSCP
  • FTP Commander
  • PuTTY

The trojan collects the following information:

  • FTP account information
  • installed antivirus software
  • the list of installed software
  • computer name
  • user name
  • operating system version
  • information about the operating system and system settings
  • CPU information
  • memory status
  • computer IP address

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • spread via removable drives
  • open a specific URL address
  • execute shell commands
  • uninstall itself
  • perform DoS/DDoS attacks
  • set up a proxy server
  • block access to specific websites
  • monitor network traffic
  • change the home page of web browser
  • start/stop services
  • send gathered information

The following services are disabled:

  • BITS
  • MpsSvc
  • SharedAccess
  • wscsvc
  • wuauserv

The trojan checks for Internet connectivity by trying to connect to the following servers:

  • microsoft.com
  • update.microsoft.com
  • windowsupdate.microsoft.com

The trojan may display the following messages:

  • Critical Disk Error
  • Windows has encountered a corrupted folder on your hard drive
  • Multiple corrupted files have been found in the folder My Documents.
  • To prevent serious loss of data, please allow Windows to restore these files.

Trojan is able to bypass User Account Control (UAC).


The trojan hooks the following Windows APIs:

  • KiFastSystemCall (ntdll.dll)
  • getaddrinfo (ws2_32.dll)
  • GetAddrInfoW (ws2_32.dll)
  • GetAddrInfoExW (ws2_32.dll)
  • DnsQuery_W (Dnsapi.dll)
  • PR_Write (nspr4.dll or nss3.dll)
  • SHGetFolderPathW (Shell32.dll)
  • NtResumeThread (ntdll.dll)
  • DllEntryPoint (msvcrt.dll)
  • HttpSendRequestW (wininet.dll)
  • function from (chrome.dll)
  • NtTerminateProcess (ntdll.dll)
  • NtTerminateThread (ntdll.dll)
  • NtUnmapViewOfSection (ntdll.dll)
  • NtAllocateVirtualMemory (ntdll.dll)
  • NtWriteVirtualMemory (ntdll.dll)
  • NtCreateFile (ntdll.dll)
  • NtCreateKey (ntdll.dll)
  • NtCreateThread (ntdll.dll)
  • NtDeleteFile (ntdll.dll)
  • NtDeleteValueKey (ntdll.dll)
  • NtDeviceIoControlFile (ntdll.dll)
  • NtEnumerateKey (ntdll.dll)
  • NtEnumerateValueKey (ntdll.dll)
  • NtGetContextThread (ntdll.dll)
  • NtMapViewOfSection (ntdll.dll)
  • NtOpenDirectoryObject (ntdll.dll)
  • NtOpenFile (ntdll.dll)
  • NtOpenKey (ntdll.dll)
  • NtOpenProcess (ntdll.dll)
  • NtOpenThread (ntdll.dll)
  • NtProtectVirtualMemory (ntdll.dll)
  • NtPulseEvent (ntdll.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • NtQuerySystemInformation (ntdll.dll)
  • NtQueryValueKey (ntdll.dll)
  • NtQueueApcThread (ntdll.dll)
  • NtResumeThread (ntdll.dll)
  • NtSetContextThread (ntdll.dll)
  • NtSetEvent (ntdll.dll)
  • NtSetInformationFile (ntdll.dll)
  • NtSetInformationProcess (ntdll.dll)
  • NtSetValueKey (ntdll.dll)
  • NtSuspendProcess (ntdll.dll)
  • NtSuspendThread (ntdll.dll)

The trojan hides its presence in the system.


The trojan interferes with the operation of some security applications to avoid detection.


The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Classes\­CLSID\­{%guid%}\­12940313]

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­%programname%]
    • "Debugger" = "%variable1%_.exe"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­DragonUpdater]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "TaskbarNoNotification" = 1
    • "HideSCAHealth" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­WindowsBackup]
    • "DisableMonitoring" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­JavaSoft\­Java Plug-in\­%javaversion%]
    • "UseJava2IExplorer" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Adobe\­Acrobat Reader\­10.0\­Privileged]
    • "bProtectedMode" = 1
  • [HKEY_CURRENT_USER\­SOFTWARE\­Adobe\­Acrobat Reader\­11.0\­Privileged]
    • "bProtectedMode" = 1
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%variable2%" = "%variable2%:*:Enabled"

A string with variable content is used instead of %variable1-2% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.