Follow:

 

Worm:Win32/Neeris.gen!C


Worm:Win32/Neeris.gen!C is the generic detection for a member of the Win32/Neeris family of worms. These worms spread via MSN Messenger and may contain backdoor functionalities. New variants of this worm may exploit a vulnerability in the Windows Server Service (srvsvc) in PCs that have not yet applied Microsoft Security Bulletin MS08-067.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Threat behavior

Installation

Different samples of Win32/Neeris.gen!C install themselves in varying ways. They commonly copy themselves in %windir% or <system folder> and change the system registry so that they run every time Windows starts.

For example, one variant of this family copies itself to a subfolder of the Windows folder as VMwareService.exe and makes the following registry autostart change:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Sets value: "GON"
With data: "%windir%\system\VMwareService.exe"

Another variant of this worm might copy itself as the following file:

%windir% \system\netmon.exe

For this file name, it creates the following autostart registry entry:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "netmon"
With data: "%windir%\system\netmon.exe"

It might also create a copy with a two digit name and the .SCR extension like 21.scr.

Spreads Via...

MSN Messenger

Win32/Neeris.gen!C spreads by sending a copy of itself to all of a user's contacts in MSN Messenger. The attached copy is usually a ZIP archive containing the EXE copy of the worm.

Removable drives

This worm might also drop a copy of itself and a corresponding autorun.inf file into all available removable drives. The function of the autorun.inf file is to make sure that the worm automatically runs if you access the drive it's in from a PC that has the Autorun feature enabled.

File names of the dropped worm copy vary but might be like smartkey.exe.

SQL servers with weak passwords

This worm might also try to connect to SQL servers by trying to log in using commonly-used passwords. Once connected, it might instruct the server to download and run a copy of itself via TFTP.

Microsoft server service vulnerability - MS06-040

This worm might also send malformed packets to exploit a known vulnerability in the Server service resolved with the release of Microsoft Security Advisory MS06-040. Once connected to vulnerable PCs, it might download and run a copy of itself.

Microsoft server service vulnerability - MS08-067

This worm might open a random high numbered TCP port like 16349 or 30379. The worm then tries to connect to PCs across a network using TCP port 445 to exploit a known vulnerability in the Server service resolved with the release of Microsoft Security Bulletin MS08-067.

Once it's infected a PC, it asks the PC to download and run a copy of the worm using the opened TCP port (like 16349 or 30379). The worm copy is downloaded using HTTP (TCP port 80).

Payload

Bypass Windows Firewall

This worm might add itself as an authorized application by changing the Windows firewall policy stored in the registry.

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%windir%\system\netmon.exe"
With data: "%windir%\system\netmon.exe:*:microsoft enabled"

Lets a malicious hacker access your PC

Win32/Neeris.gen!C might connect to a predefined Internet Relay Channel (IRC) server using a specified port number like TCP port 6667 or 449. Once connected, it lets a malicious hacker access your PC.

Removes connection restrictions

Win32/Neeris.gen!C might drop the driver <system folder>\drivers\sysdrv32.sys which changes TCP/IP settings to remove connection throttling in Windows XP SP2 PCs.

Analysis by Jireh Sanico


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Dec 22, 2008
This entry was updated on: Mar 27, 2014

This threat is also detected as:
  • Win32/Neeris.worm.101376 (AhnLab)
  • Win32/IRCBot.KA (CA)
  • Win32/AutoRun.IRCBot.Q (ESET)
  • Worm.Win32.AutoRun.fla (Kaspersky)
  • W32/IRCbot.gen.a (McAfee)
  • W32/Neeris-A (Sophos)
  • W32.Spybot.Worm (Symantec)