Home / malwarePDF  

Trojan:Win32/Neurevt.A


First posted on 09 April 2013.
Source: Microsoft

Aliases :

Trojan:Win32/Neurevt.A is also known as Trojan.Win32.Jorik.Llac.pqz (Kaspersky), Win32/Neurevt.A trojan (ESET), Trojan.Win32.Neurevt (Ikarus), Trojan.Neurevt!5156 (Rising AV).

Explanation :



Installation

Trojan:Win32/Neurevt.A has a random file name. It's found in a folder that has a partly random name - %ProgramFiles%\common files\<random phrase>.{2227a280-3aea-1069-a2de-08002b30309d}.

For example:

  • %ProgramFiles%\common files\beta bot.{2227a280-3aea-1069-a2de-08002b30309d}\kbqiypzyt.exe
  • %ProgramFiles%\common files\chrome browser.{2227a280-3aea-1069-a2de-08002b30309d}\auaucdlve.exe


It also creates the following registry entries, so that it automatically runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random phrase>"
With data: "%ProgramFiles%\common files\<random phrase>.{2227a280-3aea-1069-a2de-08002b30309d}\<malware file name>.exe"

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Beta Bot"
With data: "%ProgramFiles%\common files\beta bot.{2227a280-3aea-1069-a2de-08002b30309d}\kbqiypzyt.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Chrome Browser"
With data: "%ProgramFiles%\common files\chrome browser.{2227a280-3aea-1069-a2de-08002b30309d}\auaucdlve.exe"

It also creates the following registry entry, as part of its installation process:

in subkey: HKCU\Software\Win7zip
Sets value: "Uuid"
With data: "<random bytecode>"

For example:

in subkey: HKCU\Software\Win7zip
Sets value: "Uuid"
With data: "u^â..ny."



Payload

Changes your computer settings

This trojan hides files and folders that have the "system" attribute by changing the following registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"

Prevents some security processes from running

This trojan prevents some security processes from running by adding the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
Sets value: "Debugger"
With data: "dwrdsye_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
Sets value: "Debugger"
With data: "rj_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
Sets value: "Debugger"
With data: "cxsrjn_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe
Sets value: "Debugger"
With data: "eivm_.exe"

Disables Protected Mode in Internet Explorer

This trojan disables the Protection Mode in Internet Explorer across all zones by changing the following registry entries:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "2500"
With data: "3"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "2500"
With data: "3"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "2500"
With data: "3"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "2500"
With data: "3"

Steals computer and account details

This trojan steals any stored user names and passwords, servers, and port connections from the following FTP programs, if they are installed in your computer:

  • CoreFTP
  • FileZilla
  • FlashFXP
  • FTP Commander
  • Putty
  • SmartFTP
  • WinSCP


It might also steal your account details and contacts list for Skype.

It might also steal information about your computer, such as:

  • Operating system
  • Currently logged on user
  • Software installed in your computer, especially security software


Allows backdoor access and control

This trojan might connect to remote servers to let an attacker access your computer. It tries connecting to the following servers:

  • strike-file-hosting.us
  • 188.190.99.224


Once connected, a remote attacker can do the following to your computer:

  • Download and run arbitrary files
  • Upload files
  • Send its stolen data
  • Spread through removable drives
  • Start or stop programs
  • Delete files




Analysis by Elda Dimakiling

Last update 09 April 2013

 

TOP

Malware :

Family: