Follow:

 

Trojan:Win32/Neurevt.A


Microsoft security software detects and removes this threat.

This threat can give a malicious hacker access to your PC. It can also change your PC settings and steal your personal information, such as your user names and passwords for some banking websites. 

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat: 

You should also run a full scan. A full scan might find other, hidden malware.

Additional remediation instructions for this threat

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following articles:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat uses a random file name. It's found in a folder that has a partly random name - %ProgramFiles%\common files\<random phrase>.{2227a280-3aea-1069-a2de-08002b30309d}.

For example:

  • %ProgramFiles% \common files\beta bot.{2227a280-3aea-1069-a2de-08002b30309d}\kbqiypzyt.exe
  • %ProgramFiles% \common files\chrome browser.{2227a280-3aea-1069-a2de-08002b30309d}\auaucdlve.exe

It also creates the following registry entries, so that it automatically runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random phrase>"
With data: "%ProgramFiles%\common files\<random phrase>.{2227a280-3aea-1069-a2de-08002b30309d}\<malware file name>.exe"

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Beta Bot"
With data: "%ProgramFiles%\common files\beta bot.{2227a280-3aea-1069-a2de-08002b30309d}\kbqiypzyt.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Chrome Browser"
With data: "%ProgramFiles%\common files\chrome browser.{2227a280-3aea-1069-a2de-08002b30309d}\auaucdlve.exe"

It also creates the following registry entry, as part of its installation process:

in subkey: HKCU\Software\Win7zip
Sets value: "Uuid"
With data: "<random bytecode>"

For example:

in subkey: HKCU\Software\Win7zip
Sets value: "Uuid"
With data: "u^â..ny."

Payload

Changes your computer settings

This trojan hides files and folders that have the "system" attribute by changing the following registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"

Prevents some security processes from running

This trojan prevents some security processes from running by adding the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
Sets value: "Debugger"
With data: "dwrdsye_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
Sets value: "Debugger"
With data: "rj_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
Sets value: "Debugger"
With data: "cxsrjn_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe
Sets value: "Debugger"
With data: "eivm_.exe"

Disables Protected Mode in Internet Explorer

This trojan disables the Protection Mode in Internet Explorer across all zones by changing the following registry entries:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "2500"
With data: "3"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "2500"
With data: "3"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "2500"
With data: "3"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "2500"
With data: "3"

Steals computer and account details

This trojan steals any stored user names and passwords, servers, and port connections from the following FTP programs, if they are installed in your PC:

  • CoreFTP
  • FileZilla
  • FlashFXP
  • FTP Commander
  • Putty
  • SmartFTP
  • WinSCP

It might also steal your account details and contacts list for Skype.

It might also steal information about your computer, such as:

  • Operating system
  • Currently logged on user
  • Software installed in your computer, especially security software

Allows backdoor access and control

This trojan might connect to remote servers to give a malicious hacker access to your PC. It tries connecting to the following servers:

  • strike-file-hosting.us
  • 188.190.99.224

Once connected, a malicious hacker could do the following to your PC:

  • Download and run arbitrary files
  • Upload files
  • Send its stolen data
  • Spread through removable drives
  • Start or stop programs
  • Delete files

Analysis by Elda Dimakiling


Symptoms

The following could indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:
     
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<random phrase>"
    With data: "%ProgramFiles%\common files\<random phrase>.{2227a280-3aea-1069-a2de-08002b30309d}\<malware file name>.exe"
     
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
    Sets value: "Debugger"
    With data: "<random characters>_.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
    Sets value: "Debugger"
    With data: "<random characters>_.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
    Sets value: "Debugger"
    With data: "<random characters>_.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe
    Sets value: "Debugger"
    With data: "<random characters>_.exe"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    Sets value: "2500"
    With data: "3"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    Sets value: "2500"
    With data: "3"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    Sets value: "2500"
    With data: "3"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    Sets value: "2500"
    With data: "3"

Prevention


Alert level: Severe
First detected by definition: 1.147.139.0
Latest detected by definition: 1.199.1063.0 and higher
First detected on: Mar 21, 2013
This entry was first published on: Mar 21, 2013
This entry was updated on: Mar 16, 2015

This threat is also detected as:
  • Trojan.Win32.Jorik.Llac.pqz (Kaspersky)
  • Win32/Neurevt.A trojan (ESET)
  • Trojan.Win32.Neurevt (Ikarus)
  • Trojan.Neurevt!5156 (Rising AV)