Worm:Win32/Neeris.A is a worm that spreads using Microsoft Messenger products. It also contains backdoor functionality.
Installation
When executed, the worm copies itself to %windir%\system\lsass.exe and modifies the registry to run this file at each Windows start:
Adds value: "Windows Lsass Services"
With data: "%windir%\system\lsass.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It makes further modifications to run this file whenever Explorer is loaded (e.g. - when a user logs in):
Adds value: "MSNPRC"
With data: "<Malware File>"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
The worm also drops a zipped copy of itself to %windir%\img-0012.zip. The worm uses this copy as an attachment when spreading (see 'Spreads Via...' section below for further detail).
Neeris injects code into explorer.exe and creates a remote thread, thus providing the worm with a backup should the main process stop.
Spreads Via…
Messenger
The worm spreads via Microsoft Messenger products. It sends itself to all contacts attached to a message that uses one of the following message bodies:
ay no ese pelo fue lo mas chistoso...q estabas pensando
jajaja yo me recuerdo cuando tuvistes el pelo asi
oye ponga esa foto en tu myspace como la foto principal
voy a poner esa foto de nosotros en mi blog ya
esa foto de tu y yo la voy a poner en myspace
hola esas son las fotos
jaja debes poner esa foto como foto principal en tu myspace o algo :D
oye voy a agregar esa foto a mi blog ya
jaja recuerda cuando tuviste el pelo asi
oye voy a poner esa foto de nosotros en mi myspace :->
Per favore nessuno lasciare vede le nostre foto
Io ricordo quando abbiamo portato questa foto
Caricher= questa foto al mio myspace adesso
Qui sono il fotos di ci
jaja lei dovrebbe fare quest'il suo pic predefinito sul myspace o qualcosa :Dmetta questi fotos in suo pagina myspace
ehi aggiunger= quest'immagine di noi al mio weblog
jaja ricordo quando lei aveva i suoi capelli come questo
ehi metter= quest'immagine di noi sul mio myspace :>
m÷chten den pics von meinen Ferien sehen?
Wimmern! Blick auf diese alte Abbildung, die ich: fand
he ich zeige Ihnen diese Abbildung von mir nberhaupt?
Haha sollten Sie dieses Ihre Rnckstellung auf myspace oder etwas pic bilden:D
he werde ich diese Abbildung von uns meinem weblog hinzufngen
lol erinnern sich, an als Sie pflegten, Ihr Haar so zu haben
he werde ich diese Abbildung von uns auf mein myspace setzen
wil je fotos zien van mijn vakantie
wow! moet je eens kijken welke foto ik nu gevonden heb
he heb je ooit deze foto laten zien ?
haha you moet die je standaard foto maken op hyves of myspace
hey ik voeg deze foto van ons ff toe op mijn weblog
lol ik kan me nog herrinneren toen je haar zoals dit had
Hey i zet deze foto van ons even op mijn myspace
dTfaut de la reproduction sonore ! regard a cette vieille image que j'ai trouvTe : |
mes photos chaudes :D
haha vous devriez rendre ceci votre dTfaut pic sur le myspace ou quelque chose :D
j'ai fais pour toi ce photo album tu dois le voire :p
hT veux tu voir mes image de vacance??
le lol se rappellent quand vous aviez l'habitude d'avoir vos cheveux comme ceci
hT je vais mettre cette image de nous sur mon myspace :>
Check out my nice photo album. :D
wanna see the pics from my vacation? :>
Nice new photos of me and my friends and stuff and when i was young lol...
lol remember when you used to have your hair like this
My friend took nice photos of me.you Should see em loL!
hey i'm going to add this picture of us to my weblog
Here are my private pictures for you
The attachment filename is 'img-0012.zip'.
Payload
Modifies System Settings
The worm modifies the registry to add itself to the Windows Firewall list of authorized applications:
Adds value: "%windir%\system\lsass.exe"
With data: "%windir%\system\lsass.exe:*:Enabled:Windows Sharing"
To subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
Backdoor Functionality: Port 21888
Neeris attempts to connect to dhcp.vncsvr.com via TCP port 21888 using a particular channel, thus creating a backdoor on the infected computer. This backdoor gives a remote attacker unauthorized access and control of the affected machine.
Additional Information
The worm makes the following following modification:
Adds value: "WaitToKillServiceTimeout"
With data: "7000"
To subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
