Home / malwarePDF  

Worm:Win32/Neubreku.D


First posted on 27 July 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Neubreku.D is also known as W32/Backdoor2.CTXD (Authentium (Command)), IRC/BackDoor.SdBot4.EJC (AVG), Worm/IrcBot.50689 (Avira), Backdoor.SDBot.DFVX (BitDefender), Trojan.Packed.650 (Dr.Web), BackDoor.Cybergate.1 (Dr.Web), Packed.Win32.Black.a (Kaspersky), Worm:Win32/Pushbot.gen!C (other), Worm:Win32/Pushbot.gen (other), SDBot.gen8 (Norman), W32/Sdbot.JEE.worm (Panda), Trojan.Win32.Undef.usf (Rising AV), TROJ_SHEUR.FZ (Trend Micro), Worm.SdBot.ADYT (VirusBuster).

Explanation :

Worm:Win32/Neubreku.D is a worm that allows limited remote access and control of an infected computer. The worm spreads by copying itself to removable drives. When the infected drive is accessed from another computer supporting the Autorun feature, the malware may be launched automatically.
Top

Worm:Win32/Neubreku.D is a worm that allows limited remote access and control of an infected computer. InstallationWhen run, Worm:Win32/Neubreku.D first checks that the following utility application windows are not running:

  • File Monitor
  • Process Monitor
  • Registry Monitor
  • Ollydbg
  • If the above utilities are not running, the worm copies itself as the following: %windir%\clsidsrv.exe The registry is modified to run the dropped worm copy at each Windows start. Sets value: "Clsid Service"With data: "clsidsrv.exe"In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run The worm creates a handle and top-level hidden window with the name "Windows Microsoft Viewer". Spreads via€¦ Removable drivesThe worm spreads by copying itself to removable drives. The virus then writes an autorun configuration file named "<drive:>\autorun.inf" pointing to the copy of the worm. When the infected drive is accessed from another computer supporting the Autorun feature, the malware may be launched automatically. Payload Allows limited remote access and controlWorm:Win32/Neubreku.D attempts to connect to a remote Internet Relay Chat (IRC) server with IP address "203.200.81.109". Once connected, the worm awaits commands from a remote attacker that could instruct it to take other actions such as sending distributed denial of service (DDoS) attacks via other chat applications such as AOL Instant Messenger (AIM), MSN and Triton.

    Analysis by Jaime Wong

    Last update 27 July 2010

     

    TOP