Follow:

 

Worm:Win32/Neeris.D


Worm:Win32/Neeris.D is a worm that spreads using Microsoft Messenger products. It also contains backdoor functionality.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Worm:Win32/Neeris.D is a worm that spreads using Microsoft Messenger products. It also contains backdoor functionality.
 
Installation
When executed, the worm copies itself to <system folder>\dllcache\jucheck.exe and modifies the registry to run this file at each Windows start:
 
Adds value: "jucheck"
With data: "<system folder>\dllcache\jucheck.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
The worm also drops a zipped copy of itself to '%windir%\picts-[random numbers].zip'. The worm uses this copy as an attachment when spreading (see 'Spreads Via...' section below for further detail). The file inside the ZIP is named 'img0794-www.photoshare.com'.
 
 
Worm:Win32/Neeris.D creates a mutex named "1xcam0isluvedbyus" to ensure that multiple instances of the worm do not run simultaneously.
Spreads Via…
Messenger
The worm spreads via Microsoft Messenger products. It sends itself to all contacts attached to a message that uses one of the following message bodies:
 
TEM QUE VER ESTE RETRATO DE MIM
cette vieille image que j'ai trouv
este retrato realmente de voc
inoperante...........
je vais mettre cette image de nous sur mon myspace :
o outro dia?
quest'immagine di noi al mio weblog
quest'immagine di noi sul mio myspace :
questa foto al mio myspace adesso
veux tu voir mes image de vacance??
viu este? o presidente est
? verifica
Caricher
Check out my nice photo album. :D
Estas s
Eu amo este retrato de nossos amigos :D
Eu cant acredito que este retrato
Eu estou indo p
Haha sollten Sie dieses Ihre R
Here are my private pictures for you
Hey i zet deze foto van ons even op mijn myspace
I found these old school pictures... LOL :)
IS THIS REALLY YOU ??? i cant remember who sent it to me...
Io ricordo quando abbiamo portato questa foto
JIESHOU WO DE ZHAO PIAN :
KAN WO DE ZHAOPIAN :D.
My friend took nice photos of me.you Should see em loL!
NI HE WO !!! .... QING KAN :D.
OMG YOU HAVE TO SEE THIS PICTURE!!!! :D
Per favore nessuno lasciare vede le nostre foto
Queira ver esta foto que eu fiz exame de voc
Qui sono il fotos di ci
Wimmern! Blick auf diese alte Abbildung, die ich: fand
YI ZHANG WO GEN WO PENGYOU ZUI HAO DE ZHAOPIAN :S !!.
ZHE SHI WO DE LUOZHAO :O QING BU YAO FA GEI BIEREN !!.
ay no ese pelo fue lo mas chistoso...q estabas pensando
berhaupt?
chten den pics von meinen Ferien sehen?
ckstellung auf myspace oder etwas pic bilden:D
ehi aggiunger
ehi metter
esa foto de tu y yo la voy a poner en myspace
faut de la reproduction sonore ! regard
faut pic sur le myspace ou quelque chose :D
haha vous devriez rendre ceci votre d
haha you moet die je standaard foto maken op hyves of myspace
he heb je ooit deze foto laten zien ?
he ich zeige Ihnen diese Abbildung von mir
he werde ich diese Abbildung von uns auf mein myspace setzen
he werde ich diese Abbildung von uns meinem weblog hinzuf
hey eu fiz exame deste retrato fresco de mim em f
hey ik voeg deze foto van ons ff toe op mijn weblog
hola esas son las fotos
j'ai fais pour toi ce photo album tu dois le voire :p
jaja debes poner esa foto como foto principal en tu myspace o algo :D
jaja lei dovrebbe fare quest'il suo pic predefinito sul myspace o qualcosa :Dmetta questi fotos in suo pagina myspace
jaja recuerda cuando tuviste el pelo asi
jaja ricordo quando lei aveva i suoi capelli come questo
jajaja yo me recuerdo cuando tuvistes el pelo asi
kAN BA LI XI ER DUN JIN JIANYU HOU SHI DUO ME QIAOCUI :
le lol se rappellent quand vous aviez l'habitude d'avoir vos cheveux comme ceci
lol erinnern sich, an als Sie pflegten, Ihr Haar so zu haben
lol ik kan me nog herrinneren toen je haar zoals dit had
mes photos chaudes :D
o aqui meus retratos confidenciais para somente n
o as fotos que eu quis o mostrar:)
o louca do retrato ele para fora
oye ponga esa foto en tu myspace como la foto principal
oye voy a agregar esa foto a mi blog ya
oye voy a poner esa foto de nosotros en mi myspace :-
r este retrato de n
s sobre meu Web site
voy a poner esa foto de nosotros en mi blog ya
wanna see the pics from my vacation? :
wil je fotos zien van mijn vakantie
wow! moet je eens kijken welke foto ik nu gevonden heb
 
The attachment filename is 'picts-[random numbers].zip'.
Payload
Modifies System Settings
The worm modifies the following registry entry to add itself to the Windows Firewall list of authorized applications:
Adds value: "<system folder>\dllcache\jucheck.exe"
With data: "<system folder>\dllcache\jucheck.exe:*:Enabled:Windows Sharing"
To subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
 
Backdoor Functionality
Neeris attempts to connect to an IRC server using a particular channel, thus creating a backdoor on the infected computer. This backdoor gives a remote attacker unauthorized access and control of the affected machine. Using this backdoor, an attacker can perform the following actions on an affected machine:
  • Update itself
  • Remove itself from the infected system
  • Download additional files / new malware
  • Itemize and terminate various processes
  • Initiate or stop Messenger spreading routine
 
Analysis by Francis Allan Tan Seng

Symptoms

System Changes
The following system changes may indicate the presence of Worm:Win32/Neeris.D:
  • Presence of the following files:
    <system folder>\dllcache\jucheck.exe
    %windir%\picts-[random numbers].zip
  • Presence of the following registry modifications:
    Adds value: "jucheck"
    With data: "<system folder>\dllcache\jucheck.exe"
    To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Adds value: "<system folder>\dllcache\jucheck.exe"
    With data: "<system folder>\dllcache\jucheck.exe:*:Enabled:Windows Sharing"
  • To subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
    FirewallPolicy\StandardProfile\AuthorizedApplications\List

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.69.152.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Mar 18, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan-Dropper.Win32.Delf.ajo (Kaspersky)
  • W32/Checkout (McAfee)
  • W32/Sdbot-DHX (Sophos)
  • W32.Scrimge.O (Symantec)
  • WORM_IRCBOT.APX (Trend Micro)