Threat behavior
Worm:Win32/Neeris.A is a chat client worm with backdoor Trojan functionality. The worm uses API calls for both Windows Messenger and AOL Messenger to send messages to contacts, with an attached file containing a copy of the worm. Worm:Win32/Neeris.A connects to an IRC server and waits to receive commands, such as to self-update, remove itself, download various programs and malware, or terminate running processes.
When Worm:Win32/Neeris.A is executed, it performs the following actions:
Terminates if the currently logged on user is named "CurrentUser"
Creates a mutex named "xSeeLifeEndsz"
Drops files into these folders
%Windir%\IMG-0012.zip (contains a copy of the worm named "img0012-www.photostorage.com")
%Windir%\system\LSASS.EXE
Modifies the system registry to run the worm at each Windows startup:
Adds value: "MSNPRC"
With data: %WinDir%\system\lsass.exe
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Adds value: Windows Lsass Services
With data: %WinDir%\system\lsass.exe
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Hides itself (lsass.exe) from Task Manager process list
Adds itself to the list of authorized applications exclusions for Windows Firewall settings stored in this registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Injects code into the Windows shell application Explorer.exe
Modifies a registry entry instructing the operating system to delay 7 miliseconds to terminate services during system shutdown or restart, possibly masking the symptoms of infected by the worm:
Modifies value: WaitToKillServiceTimeout
With data: 7000
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
Messages are created in varying text, based on determination of one of these locales:
FR (France)
hT je vais mettre cette image de nous sur mon myspace :>
le lol se rappellent quand vous aviez l'habitude d'avoir vos cheveux comme ceci
hT veux tu voir mes image de vacance??
j'ai fais pour toi ce photo album tu dois le voire :p
haha vous devriez rendre ceci votre dTfaut pic sur le myspace ou quelque chose :D
mes photos chaudes :D
dTfaut de la reproduction sonore ! regard a cette vieille image que j'ai trouvTe : |
IT (Italia)
ehi metter= quest'immagine di noi sul mio myspace :>
jaja ricordo quando lei aveva i suoi capelli come questo
ehi aggiunger= quest'immagine di noi al mio weblog
jaja lei dovrebbe fare quest'il suo pic predefinito sul myspace o qualcosa :Dmetta questi fotos in suo pagina myspace
Qui sono il fotos di ci
Caricher= questa foto al mio myspace adesso
Io ricordo quando abbiamo portato questa foto
Per favore nessuno lasciare vede le nostre foto
DE (Denmark)
he werde ich diese Abbildung von uns auf mein myspace setzen
lol erinnern sich, an als Sie pflegten, Ihr Haar so zu haben
Haha sollten Sie dieses Ihre Rnckstellung auf myspace oder etwas pic bilden:D
he ich zeige Ihnen diese Abbildung von mir nberhaupt?
Wimmern! Blick auf diese alte Abbildung, die ich: fand
m÷chten den pics von meinen Ferien sehen?
NL, BE (Netherlands, Belgium)
Hey i zet deze foto van ons even op mijn myspace
lol ik kan me nog herrinneren toen je haar zoals dit had
hey ik voeg deze foto van ons ff toe op mijn weblog
haha you moet die je standaard foto maken op hyves of myspace
he heb je ooit deze foto laten zien ?
wow! moet je eens kijken welke foto ik nu gevonden heb
wil je fotos zien van mijn vakantie
ES, ME, VE (Spain, Mexico, Venezuela)
oye voy a poner esa foto de nosotros en mi myspace :->
jaja recuerda cuando tuviste el pelo asi
oye voy a agregar esa foto a mi blog ya
jaja debes poner esa foto como foto principal en tu myspace o algo :D
hola esas son las fotos
esa foto de tu y yo la voy a poner en myspace
voy a poner esa foto de nosotros en mi blog ya
oye ponga esa foto en tu myspace como la foto principal
jajaja yo me recuerdo cuando tuvistes el pelo asi
ay no ese pelo fue lo mas chistoso...q estabas pensando
All others:
Here are my private pictures for you
hey i'm going to add this picture of us to my weblog
My friend took nice photos of me.you Should see em loL!
lol remember when you used to have your hair like this
Nice new photos of me and my friends and stuff and when i was young lol...
wanna see the pics from my vacation? :>
Check out my nice photo album. :D
Worm:Win32/Neeris.A connects to an IRC server using TCP port 21888, and awaits commands from an attacker, which can include:
Self-update
Remove itself from the infected system
Download additional files / new malware
Itemize and terminate various processes
Initiate or stop its Messenger spreading routine
Prevention
