PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware, Propagates via removable drives

NEUREVT, also known as Beta Bot, was first spotted in the wild around March 2013. It was available in the underground market at a relatively cheap price. Once installed on the infected system, it disables certain security-related applications from running. It also gathers system information, FTP credentials, Skype account details and contact list, among others.

It can also perform specific commands from malicious user thus compromising the security of the system. Some of its notable behavior is performing Slowloris HTTP flooding attack and spreading itself via removable drives.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Compromises system security, Steals information

Installation

This backdoor drops the following copies of itself into the affected system:

  • %Program Files%\Common Files\Flash Update Client.{2227A280-3AEA-1069-A2DE-08002B30309D}\{random file name}.exe
  • %Program Files%\Common Files\Identities.{2227A280-3AEA-1069-A2DE-08002B30309D}\{random file name}.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CLASSES_ROOT\CLSID\{CLSID}

HKEY_CLASSES_ROOT\CLSID\{CLSID}\
0BAC02C7

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\TaskManager

HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB

HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CG1

HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CS1

HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CW1

HKEY_CURRENT_USER\Software\Win7zip

HKEY_LOCAL_MACHINE\SOFTWARE\Win7zip

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\TaskManager
Task Service ID = "{hex value}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Run
Flash Update Client = "%Program Files%\Common Files\Flash Update Client.{2227A280-3AEA-1069-A2DE-08002B30309D}\{random file name}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Flash Update Client = "%Program Files%\Common Files\Flash Update Client.{2227A280-3AEA-1069-A2DE-08002B30309D}\{random file name}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Flash Update Client = "%Program Files%\Common Files\Flash Update Client.{2227A280-3AEA-1069-A2DE-08002B30309D}\{random file name}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\2
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\4
2500 = "3"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application}
Debugger = "{random characters}.exe"

HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CG1
GLA = "{hex value}"

HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CG1
LCT = "{hex value}"

HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CG1
LSF = "{hex value}"

HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CG1
CF03 = "{hex value}"

HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CS1
SO3 = "{hex value}"

HKEY_CLASSES_ROOT\CLSID\{CLSID}\
1BE003AB\CW1
1480 = "{hex value}"

HKEY_CURRENT_USER\Software\Win7zip
Uuid = "{hex value}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Device Installer = "{malware path and file name}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Device Installer = "{malware path and file name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Device Installer = "{malware path and file name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Win7zip
Uuid = "{hex value}"

HKEY_CURRENT_USER\Software\Win7zip
Uuid = "{hex value}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
nvtrays = "%Program Files%\Common Files\Identities.{2227A280-3AEA-1069-A2DE-08002B30309D}\{random file name}.exe"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is "1".)

HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\
Java Update\Policy
EnableJavaUpdate = "0"

(Note: The default value data of the said registry entry is "1".)

Other Details

This backdoor connects to the following possibly malicious URL:

  • www.{BLOCKED}tingprotection.info/icool/order.php
  • www.{BLOCKED}tingprotection.info/icool/order.php
  • www.{BLOCKED}l.ws/forums/order.php