Follow:

 

Trojan:Win32/Neurevt.A


Microsoft security software detects and removes this threat.

This threat can give a malicious hacker access to your PC. It can also change your PC settings and steal your personal information, such as your user names and passwords for some banking websites. 

 

See the Win32/Vawtrak family description for more information.

Find out ways that malware can get on your PC.  



What to do now

 

Use the following free Microsoft software to detect and remove this threat:

 

 

You should also run a full scan. A full scan might find other, hidden malware.

 

Additional remediation instructions for this threat

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following articles:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Trojan:Win32/Neurevt.A has a random file name. It's found in a folder that has a partly random name - %ProgramFiles%\common files\<random phrase>.{2227a280-3aea-1069-a2de-08002b30309d}.

For example:

  • %ProgramFiles%\common files\beta bot.{2227a280-3aea-1069-a2de-08002b30309d}\kbqiypzyt.exe
  • %ProgramFiles%\common files\chrome browser.{2227a280-3aea-1069-a2de-08002b30309d}\auaucdlve.exe

It also creates the following registry entries, so that it automatically runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random phrase>"
With data: "%ProgramFiles%\common files\<random phrase>.{2227a280-3aea-1069-a2de-08002b30309d}\<malware file name>.exe"

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Beta Bot"
With data: "%ProgramFiles%\common files\beta bot.{2227a280-3aea-1069-a2de-08002b30309d}\kbqiypzyt.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Chrome Browser"
With data: "%ProgramFiles%\common files\chrome browser.{2227a280-3aea-1069-a2de-08002b30309d}\auaucdlve.exe"

It also creates the following registry entry, as part of its installation process:

in subkey: HKCU\Software\Win7zip
Sets value: "Uuid"
With data: "<random bytecode>"

For example:

in subkey: HKCU\Software\Win7zip
Sets value: "Uuid"
With data: "u^â..ny."

Payload

Changes your computer settings

This trojan hides files and folders that have the "system" attribute by changing the following registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"

Prevents some security processes from running

This trojan prevents some security processes from running by adding the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe
Sets value: "Debugger"
With data: "<random characters>_.exe"

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
Sets value: "Debugger"
With data: "dwrdsye_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
Sets value: "Debugger"
With data: "rj_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
Sets value: "Debugger"
With data: "cxsrjn_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe
Sets value: "Debugger"
With data: "eivm_.exe"

Disables Protected Mode in Internet Explorer

This trojan disables the Protection Mode in Internet Explorer across all zones by changing the following registry entries:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "2500"
With data: "3"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "2500"
With data: "3"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "2500"
With data: "3"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "2500"
With data: "3"

Steals computer and account details

This trojan steals any stored user names and passwords, servers, and port connections from the following FTP programs, if they are installed in your computer:

  • CoreFTP
  • FileZilla
  • FlashFXP
  • FTP Commander
  • Putty
  • SmartFTP
  • WinSCP

It might also steal your account details and contacts list for Skype.

It might also steal information about your computer, such as:

  • Operating system
  • Currently logged on user
  • Software installed in your computer, especially security software

Allows backdoor access and control

This trojan might connect to remote servers to let an attacker access your computer. It tries connecting to the following servers:

  • strike-file-hosting.us
  • 188.190.99.224

Once connected, a remote attacker can do the following to your computer:

  • Download and run arbitrary files
  • Upload files
  • Send its stolen data
  • Spread through removable drives
  • Start or stop programs
  • Delete files

Analysis by Elda Dimakiling


Symptoms

The following could indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:
     
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<random phrase>"
    With data: "%ProgramFiles%\common files\<random phrase>.{2227a280-3aea-1069-a2de-08002b30309d}\<malware file name>.exe"
     
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
    Sets value: "Debugger"
    With data: "<random characters>_.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
    Sets value: "Debugger"
    With data: "<random characters>_.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
    Sets value: "Debugger"
    With data: "<random characters>_.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe
    Sets value: "Debugger"
    With data: "<random characters>_.exe"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    Sets value: "2500"
    With data: "3"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    Sets value: "2500"
    With data: "3"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    Sets value: "2500"
    With data: "3"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    Sets value: "2500"
    With data: "3"

Prevention


Alert level: Severe
First detected by definition: 1.147.139.0
Latest detected by definition: 1.189.389.0 and higher
First detected on: Mar 21, 2013
This entry was first published on: Mar 21, 2013
This entry was updated on: Sep 22, 2014

This threat is also detected as:
  • Trojan.Win32.Jorik.Llac.pqz (Kaspersky)
  • Win32/Neurevt.A trojan (ESET)
  • Trojan.Win32.Neurevt (Ikarus)
  • Trojan.Neurevt!5156 (Rising AV)