W32.Neeris.C is yet another Worm that exploits the Microsoft Server Service RPC buffer overflow vulnerability described in the Security Advisory MS08-067 (KB958644). It also targets the USB Removable drives to propagate.
W32.Neeris.C drops a driver %System%\drivers\sysdrv32.sys that works as a rootkit. It starts a Service called "Play Port I/O Driver" by creating the below registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32
The worm creates the following autorun entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"netmon" = "%System%\dllcache.exe"
It creates the below registry entry, to get access through the Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"C:\WINDOWS\system\dllcache.exe" = "C:\WINDOWS\system\dllcache.exe:*:Microsoft Enabled"
It also creates the below registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dllcache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dllcache
It opens a back door on TCP port 4545 and connects to the following domain:
hxxp:// www . ninjawarlord . com (link deactivacted with hxxp)
-------------------------------------------------------------------
Domain Registration Details:
Registrant Contact Information : JOYCEWANG HEBEI TAGNGUO LTD.
Email: li_wangshang@yeah.net
Address: JIANKANG, 300452
Domain Name Server :
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
Registration Date :2009-4-27
Expiration Date : 2010-4-27
-------------------------------------------------------------------
It also propagates through USB Removable drives by creating the below files in the drives root:
%DriveLetter%\strongkey-rc1.3-build-208.exe
%DriveLetter%\autorun.inf
W32.Neeris.C drops a driver %System%\drivers\sysdrv32.sys that works as a rootkit. It starts a Service called "Play Port I/O Driver" by creating the below registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32
The worm creates the following autorun entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"netmon" = "%System%\dllcache.exe"
It creates the below registry entry, to get access through the Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"C:\WINDOWS\system\dllcache.exe" = "C:\WINDOWS\system\dllcache.exe:*:Microsoft Enabled"
It also creates the below registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dllcache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dllcache
It opens a back door on TCP port 4545 and connects to the following domain:
hxxp:// www . ninjawarlord . com (link deactivacted with hxxp)
-------------------------------------------------------------------
Domain Registration Details:
Registrant Contact Information : JOYCEWANG HEBEI TAGNGUO LTD.
Email: li_wangshang@yeah.net
Address: JIANKANG, 300452
Domain Name Server :
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
Registration Date :2009-4-27
Expiration Date : 2010-4-27
-------------------------------------------------------------------
It also propagates through USB Removable drives by creating the below files in the drives root:
%DriveLetter%\strongkey-rc1.3-build-208.exe
%DriveLetter%\autorun.inf
