Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Neeris.A.17
Date discovered:09/03/2011
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium to high
Damage Potential:Low
Static file:Yes
File size:151.690 Bytes
MD5 checksum:31c83edfcdc8d6fca7e12d6fb479b08f
VDF version:7.10.09.135
IVDF version:7.11.04.139 - Wednesday, March 9, 2011

 General Methods of propagation:
    Messenger
   • Peer to Peer


Aliases:
   •  Symantec: W32.IRCBot
   •  Kaspersky: P2P-Worm.Win32.Palevo.czrw
     Microsoft: Worm:Win32/Neeris
   •  Eset: Win32/Neeris.A
     DrWeb: Trojan.PWS.SpySweep.32


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7


Side effects:
   • Third party control
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\winservl.exe

 Registry The following registry keys are added in order to run the processes after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Service Noits"="winservl.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Service Noits"="winservl.exe"



The following registry key is changed:

[HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   New value:
   • "%WINDIR%\winservl.exe"="%WINDIR%\winservl.exe:*:Enabled:Service Noits"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed: It searches for the following directories:
   • winmx\shared\
   • tesla\files\
   • limewire\shared\
   • morpheus\my shared folder\
   • emule\incoming\
   • edonkey2000\incoming\
   • bearshare\shared\
   • grokster\my grokster\
   • icq\shared folder\
   • kazaa lite k++\my shared folder\
   • kazaa lite\my shared folder\
   • kazaa\my shared folder\

   If successful, the following files are created:
   • porno.scr; headjobs.scr; ilovetofuck.scr;
      FREEPORN.exe,fuckshitcunt.scr; Autoloader.exe; Wireshark.exe;
      DDOSPING.exe; ScreenMelter.exe; How-to-make-money.exe; Ebooks.exe;
      WildHorneyTeens.scr; RapidsharePREMIUM.exe; LimeWireCrack.exe;
      Porno.MPEG.exe; image.scr; VistaUltimate-Crack.exe; paris-hilton.scr;
      MSNHacks.exe; YahooCracker.exe; HotmailHacker.exe


 Messenger It is spreading via Messenger. The characteristics are described below:

 AIM Messenger
Windows Live Messenger


To:
All online contacts in the contact list.

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: irc.ch**********.us
Port: 6567

Server: irc.si**********.us
Port: 6567


 Furthermore it has the ability to perform actions such as:
     connect to IRC server
    • Download file
    • Perform DDoS attack
     Updates itself
     Visit a website

 File details Programming language:
The malware program was written in Visual Basic.


Encryption:
Encrypted - The virus code inside the file is encrypted.

Description inserted by Ana Maria Niculescu on Friday, August 12, 2011
Description updated by Ana Maria Niculescu on Friday, August 12, 2011

Back . . . .