Follow:

You have been re-routed to the TrojanSpy:Win32/Neetro.A write up because TrojanSpy%3aWin32%2fNeetro.A has been renamed to TrojanSpy:Win32/Neetro.A
 

TrojanSpy:Win32/Neetro.A


TrojanSpy:Win32/Neetro.A is a generic detection for certain obfuscated malware. The loader, which is encrypted and written in Visual Basic, may have virtually any purpose. This trojan may drop and execute a copy of PWS:Win32/Zbot.gen!V.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

TrojanSpy:Win32/Neetro.A is a generic detection for certain obfuscated malware. The loader, which is encrypted and written in Visual Basic, may have virtually any purpose. This trojan may drop and execute a copy of PWS:Win32/Zbot.gen!V.
Installation
When run, this trojan drops itself as "file.rst" into the Temporary files folder. It then launches the Windows shell "%windir%\explorer.exe" and injects code into the process of "explorer.exe".
Payload
Installs Win32/Zbot variant
This trojan may drop and execute a copy of PWS:Win32/Zbot.gen!V as the following:
  • <system folder>\sdra64.exe
The registry is modified to execute the dropped malware at each Windows start.
 
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\sdra64.exe"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 
Other actions
The following actions have been observed in various files detected as TrojanSpy:Win32/Neetro.A:
  • Injects code into the following processes:
    • explorer.exe
    • winlogon.exe
    • svchost.exe
    • smss.exe
    • services.exe
    • lsass.exe
  • Download and execute other potentially malicious files
  • Connect to various Web sites
Additional Information
For more information about PWS:Win32/Zbot.gen!V, see the description elsewhere in the encyclopedia.
 
Analysis by Wei Li

Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.57.39.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Apr 21, 2009
This entry was first published on: Jun 28, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • W32/Backdoor2.EJZJ (Command)
  • Win32/Spy.Zbot.UN (ESET)
  • Backdoor.Win32.Haver.eh (Kaspersky)
  • W32/Havar.EX (Norman)
  • Trj/Sinowal.WXO (Panda)
  • Mal/VB-AB (Sophos)
  • Trojan.Zbot (Symantec)
  • BKDR_HAVAR.AQ (Trend Micro)
  • Backdoor.Havar.EO (VirusBuster)