Follow:

You have been re-routed to the Trojan:Win32/Neurevt.A write up because Trojan%3aWin32%2fNeurevt.A has been renamed to Trojan:Win32/Neurevt.A
 

Trojan:Win32/Neurevt.A


Trojan:Win32/Neurevt.A is a trojan that changes some of your computer's settings and steals sensitive information from your computer. It might also allow a remote attacker to access your computer.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Additional remediation instructions for this threat

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following articles:

Threat behavior

Installation

Trojan:Win32/Neurevt.A has a random file name. It's found in a folder that has a partly random name - %ProgramFiles%\common files\<random phrase>.{2227a280-3aea-1069-a2de-08002b30309d}.

For example:

  • %ProgramFiles%\common files\beta bot.{2227a280-3aea-1069-a2de-08002b30309d}\kbqiypzyt.exe
  • %ProgramFiles%\common files\chrome browser.{2227a280-3aea-1069-a2de-08002b30309d}\auaucdlve.exe

It also creates the following registry entries, so that it automatically runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random phrase>"
With data: "%ProgramFiles%\common files\<random phrase>.{2227a280-3aea-1069-a2de-08002b30309d}\<malware file name>.exe"

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Beta Bot"
With data: "%ProgramFiles%\common files\beta bot.{2227a280-3aea-1069-a2de-08002b30309d}\kbqiypzyt.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Chrome Browser"
With data: "%ProgramFiles%\common files\chrome browser.{2227a280-3aea-1069-a2de-08002b30309d}\auaucdlve.exe"

It also creates the following registry entry, as part of its installation process:

in subkey: HKCU\Software\Win7zip
Sets value: "Uuid"
With data: "<random bytecode>"

For example:

in subkey: HKCU\Software\Win7zip
Sets value: "Uuid"
With data: "u^â..ny."

Payload

Changes your computer settings

This trojan hides files and folders that have the "system" attribute by changing the following registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"

Prevents some security processes from running

This trojan prevents some security processes from running by adding the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
Sets value: "Debugger"
With data: "dwrdsye_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
Sets value: "Debugger"
With data: "rj_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
Sets value: "Debugger"
With data: "cxsrjn_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe
Sets value: "Debugger"
With data: "eivm_.exe"

Disables Protected Mode in Internet Explorer

This trojan disables the Protection Mode in Internet Explorer across all zones by changing the following registry entries:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "2500"
With data: "3"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "2500"
With data: "3"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "2500"
With data: "3"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "2500"
With data: "3"

Steals computer and account details

This trojan steals any stored user names and passwords, servers, and port connections from the following FTP programs, if they are installed in your computer:

  • CoreFTP
  • FileZilla
  • FlashFXP
  • FTP Commander
  • Putty
  • SmartFTP
  • WinSCP

It might also steal your account details and contacts list for Skype.

It might also steal information about your computer, such as:

  • Operating system
  • Currently logged on user
  • Software installed in your computer, especially security software

Allows backdoor access and control

This trojan might connect to remote servers to let an attacker access your computer. It tries connecting to the following servers:

  • strike-file-hosting.us
  • 188.190.99.224

Once connected, a remote attacker can do the following to your computer:

  • Download and run arbitrary files
  • Upload files
  • Send its stolen data
  • Spread through removable drives
  • Start or stop programs
  • Delete files

Analysis by Elda Dimakiling


Symptoms

Computer changes

The following computer changes may indicate the presence of this malware:

  • The presence of the following registry modification:
    In subkey: HKCU\Software\Win7zip
    Value: "Uuid"
  • Some security processes are not running as expected because of the following registry changes:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
    Sets value: "Debugger"
    With data: "<random characters>_.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
    Sets value: "Debugger"
    With data: "<random characters>_.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
    Sets value: "Debugger"
    With data: "<random characters>_.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe
    Sets value: "Debugger"
    With data: "<random characters>_.exe"

  • "Protected mode" is disabled in Internet Explorer because of the following registry changes:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    Sets value: "2500"
    With data: "3"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    Sets value: "2500"
    With data: "3"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    Sets value: "2500"
    With data: "3"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    Sets value: "2500"
    With data: "3"


Prevention


Alert level: Severe
First detected by definition: 1.147.139.0
Latest detected by definition: 1.183.606.0 and higher
First detected on: Mar 21, 2013
This entry was first published on: Mar 21, 2013
This entry was updated on: Apr 08, 2013

This threat is also detected as:
  • Trojan.Win32.Jorik.Llac.pqz (Kaspersky)
  • Win32/Neurevt.A trojan (ESET)
  • Trojan.Win32.Neurevt (Ikarus)
  • Trojan.Neurevt!5156 (Rising AV)