Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:09/03/2011
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium to high
Damage Potential:Low
Static file:Yes
File size:151.690 Bytes
MD5 checksum:31c83edfcdc8d6fca7e12d6fb479b08f
VDF version:
IVDF version:

 General Methods of propagation:
   • Messenger
   • Peer to Peer

   •  Symantec: W32.IRCBot
   •  Kaspersky: P2P-Worm.Win32.Palevo.czrw
   •  Microsoft: Worm:Win32/Neeris
   •  Eset: Win32/Neeris.A
   •  DrWeb: Trojan.PWS.SpySweep.32

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Third party control
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\winservl.exe

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Service Noits"="winservl.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   • "Service Noits"="winservl.exe"

The following registry key is changed:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   New value:
   • "%WINDIR%\winservl.exe"="%WINDIR%\winservl.exe:*:Enabled:Service Noits"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed: It searches for the following directories:
   • winmx\shared\
   • tesla\files\
   • limewire\shared\
   • morpheus\my shared folder\
   • emule\incoming\
   • edonkey2000\incoming\
   • bearshare\shared\
   • grokster\my grokster\
   • icq\shared folder\
   • kazaa lite k++\my shared folder\
   • kazaa lite\my shared folder\
   • kazaa\my shared folder\

   If successful, the following files are created:
   • porno.scr; headjobs.scr; ilovetofuck.scr;
      FREEPORN.exe,fuckshitcunt.scr; Autoloader.exe; Wireshark.exe;
      DDOSPING.exe; ScreenMelter.exe; How-to-make-money.exe; Ebooks.exe;
      WildHorneyTeens.scr; RapidsharePREMIUM.exe; LimeWireCrack.exe;
      Porno.MPEG.exe; image.scr; VistaUltimate-Crack.exe; paris-hilton.scr;
      MSNHacks.exe; YahooCracker.exe; HotmailHacker.exe

 Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger
– Windows Live Messenger

All online contacts in the contact list.

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Port: 6567

Port: 6567

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Download file
    • Perform DDoS attack
    • Updates itself
    • Visit a website

 File details Programming language:
The malware program was written in Visual Basic.

Encrypted - The virus code inside the file is encrypted.

Description inserted by Ana Maria Niculescu on Friday, August 12, 2011
Description updated by Ana Maria Niculescu on Friday, August 12, 2011

Back . . . .