BKDR_NEUREVT.NST

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It modifies the Internet Explorer Zone Settings.

It retrieves specific information from the affected system.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %Program Files%\Common Files\openoffic0\{random}.exe
• %All Users Profile\Application Data\openoffic0\{random}.exe"

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It creates the following folders:

• %All Users Profile%\Application Data\openoffic0
• %Program Files%\Common Files\openoffic0

(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It injects codes into the following process(es):

• explorer.exe

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
openoffic = "%All Users Profile%\Application Data\openoffic0\{random}.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
openoffic = "%All Users Profile%\Application Data\openoffic0\{random}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
openoffic = "%Program Files%\Common Files\openoffic0\{random}.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
openoffic = "%Program Files%\Common Files\openoffic0\{random}.exe"

Other System Modifications

This Trojan adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
TaskbarNoNotification = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Win7zip
Uuid = "{random values}"

Backdoor Routine

This Trojan executes the following commands from a remote malicious user:

• Download and execute files
• Perform Slowloris flooding
• Execute shell commands
• Copy itself in removable drives
• Open a URL
• Uninstall / Update itself

It connects to the following websites to send and receive information:

• http://{BLOCKED}rve.info/b/order.php

Web Browser Home Page and Search Page Modification

This Trojan modifies the Internet Explorer Zone Settings.

Download Routine

This Trojan accesses the following websites to download files:

• http://{BLOCKED}r.net/download/pts.exe - detected as TROJ_COINMINE.B
• http://{BLOCKED}r.net/download/x86.exe - detected as TROJ_COINMINE.B

Information Theft

This Trojan retrieves the following information from the affected system:

• Operating system version
• Hardware Information (Power Status, Processor)
• Installed FTP Softwares (CoreFTP,FileZilla,FlashFXP,FTP Commander,PuTTy,SmartFTP,WinSCP)
• Installed Game Softwares (Steam, League of Legends,Origin, Blizzard, Origin, Runescape)
• Installed Messenger (Skype)
• Installed AV Products
• Username
• Default Browser
• Dotnet Version
• Java Version
• IPs of recent RDP
• Installed Softwares (Sysinternals, mIRC, Hex-Rays, Immunity Inc, CodeBlocks,7-Zip,PrestoSoft,Nmap,Perl,Visual C++, Wireshark, Visual Studio, VMWare, Inc.)

Other Details

This Trojan connects to the following URL(s) to check for an Internet connection:

• update.microsoft.com
• microsoft.com
• windowsupdate.microsoft.com
• google.com

NOTES:

It queries the following registry key to get Microsoft Net Framework Version:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework setup\NDP

It queries the following registry key to get the processor information:

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor

It disables the following antivirus-related applications by adding the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\{application}
Debugger = {random characters}_.exe

• a2guard.exe
• a2service.exe
• a2start.exe
• adaware.exe
• ALUpdate.exe
• arcaclean.exe
• avastsvc.exe
• avastui.exe
• avcenter.exe
• AVENGINE.exe
• avgcfgex.exe
• avgdiagex.exe
• avgidsagent.exe
• avgmfapx.exe
• avgnt.exe
• avguard.exe
• avgui.exe
• avgupd.exe
• avgwdsvc.exe
• AVK.exe
• AVKTray.exe
• avshadow.exe
• BgScan.exe
• BullGuard.exe
• BullGuardBhvScanner.exe
• BullGuardScanner.exe
• BullGuardUpdate.exe
• BullGuardUpdate2.exe
• ccsvchst.exe
• ccupdate.exe
• CLPSLA.exe
• coreFrameworkHost.exe
• coreServiceShell.exe
• egui.exe
• ekrn.exe
• epavjobs.exe
• ForceField.exe
• FProtTray.exe
• FPWin.exe
• fshoster32.exe
• GDFirewallTray.exe
• GDSC.exe
• K7TSUpdT.exe
• mbam.exe
• mbamgui.exe
• mcagent.exe
• McPvTray.exe
• mcshell.exe
• mcshield.exe
• McSvHost.exe
• McUICnt.exe
• mcupdate.exe
• mcupdmgr.exe
• MSASCui.exe
• MsMpEng.exe
• msseces.exe
• niu.exe
• op_mon.exe
• pctsAuxs.exe
• pctsGui.exe
• pctsSvc.exe
• PSANHost.exe
• PSUAService.exe
• PSUNMain.exe
• RavMonD.exe
• rcfp.exe
• rsmain.exe
• RsMgrSvc.exe
• RsTray.exe
• SBAMTray.exe
• sbamui.exe
• sguardxup.exe
• starter_avp.exe
• symerr.exe
• uiSeAgnt.exe
• uiWatchDog.exe
• Update.exe
• update_tmp.exe
• updater.exe
• Upgrader.exe
• usrreq.exe
• uWinMgr.exe
• WRSA.exe
• zatray.exe