Worm:MSIL/Necast.E is a .NET compiled worm that spreads to all accessible drives of an infected computer, steals sensitive information and allows unauthorized remote access and control.
Installation
When run, this malware drops and executes a copy of the worm as the following file:
%windir%\Temp\svchost.exe
Regisry data is created to run the worm copy at each Windows start.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Server"
To data: "%windir%\Temp\svchost.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Server"
To data: "%windir%\Temp\svchost.exe"
Other registry data is created for the worm to use as configuration detail.
In subkey: HKCU\Software\nKey
Sets value: "FT"
To data: "&"
In subkey: HKCR
Sets value: "!"
To data: "<B64 encoded string of the worm installation date and path>"
Spreads via...
All drives
Worm:MSIL/Necast.E traverses all accessible drives, whether fixed, removable or network drive types, and copies itself to the target drive as "NEW.scr".
Payload
Lowers computer security
The worm lowers computer security by disabling Windows firewall and changing the firewall policy to allow exceptions.
In subkey: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "EnableFirewall"
To data: "dword:00000000"
In subkey: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Sets value: "DoNotAllowExceptions"
To data: "dword:00000000"
The worm modifies registry data that disables the LUA (Least Privileged User Account), also known as the “administrator in Admin Approval Mode” user type:
Note: Disabling the LUA allows all applications to run by default with all administrative privileges, without the user being prompted for explicit consent.
Allows unauthorized remote access and control
Worm:MSIL/Necast.E connects to a remote server named "pintos2014.no-ip.biz" and await instructions from a remote attacker. Commands could include any of the following actions:
- Get, create or delete registry keys
- Get, start or stop services
- Get, start or stop processes
- Perform UDP/TCP flooding against a targeted computer
- Log keystrokes
- List open windows
- Download and execute an arbitrary file
- Bypass an installed firewall
- Upload certain file types (png, jpg, jpeg, bmp, ico) to a specified server
- Open a chat window
- Get drive info
- Delete files
- Execute a VBS script
- Open a remote command shell
- Delete the worm copy
- Create a mouse event (click to a certain window)
- Get all active connections (using a netstat command)
- Get screen background or capture video
- Play a sound
- Get PC information (such as user, country, OS, CPU, RAM)
- Get malware infromation (such as unique name, host, server, executable file name, directory, mutex name, registry key, installation date)
- Steal sensitive information for the following:
- Chrome, Firefox, Opera (stored user names, passwords and URLs)
- Windows Live, Hotmail, Paltalk, Yahoo accounts
- DynDNS, no-ip.com domain accounts
- FileZilla account details (URLs, port, user names, passwords)
- Hard disk Serial ID
Captured data is stored in the following registry entry:
In subkey: HKCU\Software\nKey
Sets value: "lg"
To data: "<key log data>"
Disables firewall software
Worm:MSIL/Necast.E can block the following firewall software:
- AVG Firewall
- Avira Firewall
- BitDefender Firewall
- FortKnox Personal Firewall
- Panda Internet Security 2011
- Windows Firewall
Analysis by Ric Robielos
