SecurityHome.eu Trojan:Win32/Neurevt

Home / malware PDF

Trojan:Win32/Neurevt

First posted on 09 May 2019.
Source: Microsoft
Aliases :
Trojan:Win32/Neurevt is also known as Trojan.Win32.Jorik.Llac.pqz, Win32/Neurevt.A trojan, Trojan.Win32.Neurevt, Trojan.Neurevt!5156.
Explanation :
Installation

This threat uses a random file name. It's found in a folder that has a partly random name - %ProgramFiles%common files.{2227a280-3aea-1069-a2de-08002b30309d}.

For example:

%ProgramFiles% common fileseta bot.{2227a280-3aea-1069-a2de-08002b30309d}kbqiypzyt.exe %ProgramFiles% common fileschrome browser.{2227a280-3aea-1069-a2de-08002b30309d}auaucdlve.exe

It also creates the following registry entries, so that it automatically runs every time Windows starts:

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Sets value: ""
With data: "%ProgramFiles%common files.{2227a280-3aea-1069-a2de-08002b30309d}.exe"

For example:

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Sets value: "Beta Bot"
With data: "%ProgramFiles%common fileseta bot.{2227a280-3aea-1069-a2de-08002b30309d}kbqiypzyt.exe"

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Sets value: "Chrome Browser"
With data: "%ProgramFiles%common fileschrome browser.{2227a280-3aea-1069-a2de-08002b30309d}auaucdlve.exe"

It also creates the following registry entry, as part of its installation process:

in subkey: HKCUSoftwareWin7zip
Sets value: "Uuid"
With data: ""

For example:

in subkey: HKCUSoftwareWin7zip
Sets value: "Uuid"
With data: "u^â..ny."

Payload

Changes your computer settings

This trojan hides files and folders that have the "system" attribute by changing the following registry entry:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
Sets value: "ShowSuperHidden"
With data: "0"

Prevents some security processes from running

This trojan prevents some security processes from running by adding the following registry entries:

In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
strui.exe
Sets value: "Debugger"
With data: "_.exe"

In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionshijackthis.exe
Sets value: "Debugger"
With data: "_.exe"

In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsspybotsd.exe
Sets value: "Debugger"
With data: "_.exe"

In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionshousecalllauncher.exe
Sets value: "Debugger"
With data: "_.exe"

For example:

In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
strui.exe
Sets value: "Debugger"
With data: "dwrdsye_.exe"

In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionshijackthis.exe
Sets value: "Debugger"
With data: "rj_.exe"

In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsspybotsd.exe
Sets value: "Debugger"
With data: "cxsrjn_.exe"

In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionshousecalllauncher.exe
Sets value: "Debugger"
With data: "eivm_.exe"

Disables Protected Mode in Internet Explorer

This trojan disables the Protection Mode in Internet Explorer across all zones by changing the following registry entries:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones1
Sets value: "2500"
With data: "3"

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones2
Sets value: "2500"
With data: "3"

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones3
Sets value: "2500"
With data: "3"

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones4
Sets value: "2500"
With data: "3"

Steals computer and account details

This trojan steals any stored user names and passwords, servers, and port connections from the following FTP programs, if they are installed in your PC:

CoreFTP FileZilla FlashFXP FTP Commander Putty SmartFTP WinSCP

It might also steal your account details and contacts list for Skype.

It might also steal information about your computer, such as:

Operating system Currently logged on user Software installed in your computer, especially security software

Allows backdoor access and control

This trojan might connect to remote servers to give a malicious hacker access to your PC. It tries connecting to the following servers:

strike-file-hosting.us 188.190.99.224

Once connected, a malicious hacker could do the following to your PC:

Download and run arbitrary files Upload files Send its stolen data Spread through removable drives Start or stop programs Delete files

Analysis by Elda Dimakiling
Last update 09 May 2019

TOP

Malware :

Last 20