NEUREVT
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
NEUREVT, also known as Beta Bot, was first spotted in the wild around March 2013. It was available in the underground market at a relatively cheap price. Once installed on the infected system, it disables certain security-related applications from running. It also gathers system information, FTP credentials, Skype account details and contact list, among others.
It can also perform specific commands from malicious user thus compromising the security of the system. Some of its notable behavior is performing Slowloris HTTP flooding attack and spreading itself via removable drives.
TECHNICAL DETAILS
Installation
This backdoor drops the following copies of itself into the affected system:
- %Program Files%\Common Files\Flash Update Client.{2227A280-3AEA-1069-A2DE-08002B30309D}\{random file name}.exe
- %Program Files%\Common Files\Identities.{2227A280-3AEA-1069-A2DE-08002B30309D}\{random file name}.exe
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
Other System Modifications
This backdoor adds the following registry keys:
HKEY_CLASSES_ROOT\CLSID\{CLSID}
HKEY_CLASSES_ROOT\CLSID\{CLSID}\
0BAC02C7
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\TaskManager
HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB
HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CG1
HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CS1
HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CW1
HKEY_CURRENT_USER\Software\Win7zip
HKEY_LOCAL_MACHINE\SOFTWARE\Win7zip
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\TaskManager
Task Service ID = "{hex value}"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Run
Flash Update Client = "%Program Files%\Common Files\Flash Update Client.{2227A280-3AEA-1069-A2DE-08002B30309D}\{random file name}.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Flash Update Client = "%Program Files%\Common Files\Flash Update Client.{2227A280-3AEA-1069-A2DE-08002B30309D}\{random file name}.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Flash Update Client = "%Program Files%\Common Files\Flash Update Client.{2227A280-3AEA-1069-A2DE-08002B30309D}\{random file name}.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
2500 = "3"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\2
2500 = "3"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
2500 = "3"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\4
2500 = "3"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application}
Debugger = "{random characters}.exe"
HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CG1
GLA = "{hex value}"
HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CG1
LCT = "{hex value}"
HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CG1
LSF = "{hex value}"
HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CG1
CF03 = "{hex value}"
HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CS1
SO3 = "{hex value}"
HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CW1
1480 = "{hex value}"
HKEY_CURRENT_USER\Software\Win7zip
Uuid = "{hex value}"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Device Installer = "{malware path and file name}"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Device Installer = "{malware path and file name}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Device Installer = "{malware path and file name}"
HKEY_LOCAL_MACHINE\SOFTWARE\Win7zip
Uuid = "{hex value}"
HKEY_CURRENT_USER\Software\Win7zip
Uuid = "{hex value}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
nvtrays = "%Program Files%\Common Files\Identities.{2227A280-3AEA-1069-A2DE-08002B30309D}\{random file name}.exe"
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"
(Note: The default value data of the said registry entry is "1".)
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\
Java Update\Policy
EnableJavaUpdate = "0"
(Note: The default value data of the said registry entry is "1".)
Other Details
This backdoor connects to the following possibly malicious URL:
- www.{BLOCKED}tingprotection.info/icool/order.php
- www.{BLOCKED}tingprotection.info/icool/order.php
- www.{BLOCKED}l.ws/forums/order.php