Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Neeris.BF
Date discovered:21/12/2010
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:100.865 Bytes
MD5 checksum:968470dd871f3047cf48b23f0c83985f
VDF version:7.10.07.66
IVDF version:7.11.00.138 - Tuesday, December 21, 2010

 General Methods of propagation:
    Autorun feature
    Messenger


Aliases:
   •  Symantec: W32.IRCBot
   •  Kaspersky: Trojan.Win32.Jorik.IRCbot.jn
   •  F-Secure: Trojan.Win32.Jorik.IRCbot.jn
   •  Sophos: W32/Neeris-C
     Microsoft: Worm:Win32/Neeris.BF
   •  Eset: Win32/AutoRun.IRCBot.FL
     DrWeb: Win32.HLLW.Autoruner.32824


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Third party control
   • Downloads a malicious file
   • Drops files
   • Drops malicious files
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %TEMPDIR%\avntsc.exe



The following files are created:

%drive%\Autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\av_7636752.tmp
%TEMPDIR%\dfdfd.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.ZPACK.Gen

%TEMPDIR%\asdfd.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.ZPACK.Gen




It tries to download a file:

The location is the following:
   • http://www.sit**********.com/gamil/T2.jpeg
It is saved on the local hard drive under: %temporary internet files%\Content.IE5\%eight-digit random character string%\T2[1].jpg Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.ZPACK.Gen

 Registry The following registry keys are added in order to run the processes after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft iexplorer11"="%TEMPDIR%\avntsc.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft iexplorer11"="%TEMPDIR%\avntsc.exe"

 Network Infection Exploit:
It makes use of the following Exploit:
 MS06-040 (Vulnerability in Server Service)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 173.246.1**********
Port: 4949
Server password: isPigaGAY
Channel: V
Nickname: {NOVY}[[%operating system%][%operating system%]%random numbers%



 This malware has the ability to collect and send information such as:
    • Information about the network
    • Username


 Furthermore it has the ability to perform actions such as:
     connect to IRC server
     disconnect from IRC server
    • Download file
    • Execute file
    • Join IRC channel
    • Leave IRC channel
     Start spreading routine
    • Terminate malware
    • Terminate process
     Updates itself

 Process termination Processes with one of the following strings are terminated:
   • Wireshark
   • tcpview
   • MSASCui
   • msmpeng


 Miscellaneous Accesses internet resources:
   • avx2.botsgod.info
   • av.psybnc.cz
   • av.shannen.cc


Mutex:
It creates the following Mutex:
   • Jre5hjk21pCTnxtavx1

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX


Encryption:
Encrypted - The virus code inside the file is encrypted.

Description inserted by Ana Maria Niculescu on Wednesday, March 16, 2011
Description updated by Ana Maria Niculescu on Friday, March 18, 2011

Back . . . .