Virus:TR/Neeris.67584
Date discovered:31/03/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:67.584 Bytes
MD5 checksum:f7db2ac64bf9874bc03d847426c0c811
IVDF version:7.10.06.06 - Wednesday, March 31, 2010

 General Method of propagation:
   • Local network


Aliases:
   •  Sophos: W32/Autorun-AEX
   •  Bitdefender: Trojan.Agent.AMMK
   •  Panda: W32/Ircbot.CKA
   •  Eset: Win32/Injector.MM


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Third party control
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\smsc.exe



It deletes the initially executed copy of itself.



The following file is created:

%SYSDIR%\drivers\sysdrv32.sys Further investigation pointed out that this file is malware, too. Detected as: TR/Hacktool.Tcpz.A




It tries to executes the following file:

– Filename:
   • "%SYSDIR%\smsc.exe"

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "WSSVC"="%SYSDIR%\smsc.exe"



The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
   SVCWINSPOOL]
   • "@"="Service"

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
   SVCWINSPOOL]
   • "@"="Service"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploits:
– MS04-011 (LSASS Vulnerability)
– MS06-040 (Vulnerability in Server Service)


IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: b.vsp**********.com
Port: 988
Channel: #lox
Nickname: [00-USA-XP-%number%]

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, August 5, 2010
Description updated by Petre Galan on Thursday, August 5, 2010

Back . . . .