Worm:Win32/Neeris.gen!D is a generic detection for a worm that spreads via removable drives and instant messenger programs. It also allows backdoor access and control of the affected computer.
Installation
Worm:Win32/Neeris.gen!D may be found in the Windows system folder using any of the following file names:
- 1sass.exe
- dllcache.exe
- key-installer.exe
- lan.exe
- lsass.exe
- netmon.exe
- p.exe
- smsc.exe
- smsg.exe
- strongkey-rc1.3-build-208.exe
- svhost.exe
- sysdrv32.sys
- win.com
- winrsc.exe
- wlan.exe
Note that some of these file names are similar to the names of legitimate Windows files (for example, "svchost.exe" is a legitimate file, while this worm may arrive as "svhost.exe")
It also modifies the system registry so that it automatically runs every time Windows starts. Depending on its file name, the registry entry may be any of the following:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "lsass"
With data: "<system folder>\1sass.exe"
or
Sets value: "netmon"
With data: "<system folder>\dllcache.exe"
or
Sets value: "ilasss"
With data: "<system folder>\lsass.exe"
or
Sets value: "lsass"
With data: "<system folder>\lsass.exe"
or
Sets value: "netmon"
With data: "<system folder>\netmon.exe"
or
Sets value: "WSSVC"
With data: "<system folder>\smsc.exe"
or
Sets value: "Windows System Spooler"
With data: "<system folder>\smsg.exe"
or
Sets value: "ctfmon"
With data: "<system folder>\svhost.exe"
or
Sets value: "WSVCHO"
With data: "<system folder>\svhost.exe"
or
Sets value: "Windows System Monitor"
With data: "<system folder>\winrsc.exe"
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Spreads via...
Removable drives
Worm:Win32/Neeris.gen!D spreads by creating copies of itself in all available removable drives. Its copies may have any of the following file names:
- 1sass.exe
- dllcache.exe
- key-installer.exe
- lan.exe
- lsass.exe
- netmon.exe
- p.exe
- smsc.exe
- smsg.exe
- strongkey-rc1.3-build-208.exe
- svhost.exe
- sysdrv32.sys
- win.com
- winrsc.exe
- wlan.exe
Instant messenger programs
Worm:Win32/Neeris.gen!D can spread to a user's contacts in Windows Live Messenger and AOL Messenger by sending messages containing an attachment containing a worm copy.
Payload
Modifies firewall settings
Worm:Win32/Neeris.gen!D adds itself to the list of authorized programs allowed to bypass Windows Firewall by modifying the following registry key:
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Allows backdoor access and control
Worm:Win32/Neeris.gen!D connects to an IRC server using various ports, and wait for commands for a remote attacker. These commands may include:
- Automatically updating itself
- Removing itself from the computer
- Downloading arbitrary files
- Listing and terminating running processes
- Starting and stopping its spreading routine via instant messaging programs
Analysis by Jireh Sanico
