TrojanSpy:Win32/Neetro.A is a generic detection for certain obfuscated malware. The loader, which is encrypted and written in Visual Basic, may have virtually any purpose. This trojan may drop and execute a copy of PWS:Win32/Zbot.gen!V.
When run, this trojan drops itself as "file.rst" into the Temporary files folder. It then launches the Windows shell "%windir%\explorer.exe" and injects code into the process of "explorer.exe".
Installs Win32/Zbot variant
This trojan may drop and execute a copy of PWS:Win32/Zbot.gen!V as the following:
The registry is modified to execute the dropped malware at each Windows start.
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\sdra64.exe"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The following actions have been observed in various files detected as TrojanSpy:Win32/Neetro.A:
- Injects code into the following processes:
- Download and execute other potentially malicious files
- Connect to various Web sites
Analysis by Wei Li