Threat behavior
TrojanSpy:Win32/Neetro.A is a generic detection for certain obfuscated malware. The loader, which is encrypted and written in Visual Basic, may have virtually any purpose. This trojan may drop and execute a copy of PWS:Win32/Zbot.gen!V.
Installation
When run, this trojan drops itself as "file.rst" into the Temporary files folder. It then launches the Windows shell "%windir%\explorer.exe" and injects code into the process of "explorer.exe".
Payload
Installs Win32/Zbot variant
This trojan may drop and execute a copy of PWS:Win32/Zbot.gen!V as the following:
-
<system folder>\sdra64.exe
The registry is modified to execute the dropped malware at each Windows start.
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\sdra64.exe"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Other actions
The following actions have been observed in various files detected as TrojanSpy:Win32/Neetro.A:
- Injects code into the following processes:
-
explorer.exe
-
winlogon.exe
-
svchost.exe
-
smss.exe
-
services.exe
-
lsass.exe
- Download and execute other potentially malicious files
- Connect to various Web sites
Additional Information
Analysis by Wei Li
Prevention
