Microsoft warns of old virus being modified to take advantage of the MS08-67 vulnerabilities. The Neeris Worm has been around for a long time but has been modified.
The following registry autostarts modification:
- Adds value: "GON"
- With data: "%windir%\system\VMwareService.exe"
- To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Another variant of this worm may copy itself as the following file: %windir%\system\netmon.exe. The worm may be present as a file with a two digit name and .SCR extension such as 21.scr. The registry data may be created to execute the worm when booting in Windows safe mode:
Adds value: "netmon"
With data: "%windir%\system\netmon.exe"
To subkey HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "(default)"
With data: "service"
To subkey: HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\netmon32
Adds value: "(default)"
With data: "service"
To subkey: HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\netmon32Spreads Via...
1) MSN Messenger
2) Win32/Neeris.gen!C spreads by sending a copy of itself to all of a user's contacts in MSN Messenger. The attached copy is usually a ZIP archive containing the EXE copy of the worm.Win32/Neeris.worm.101376 (AhnLab)
Win32/IRCBot.KA (CA)
Win32/AutoRun.IRCBot.Q (ESET)
Worm.Win32.AutoRun.fla (Kaspersky)
W32/IRCbot.gen.a (McAfee)
W32/Neeris-A (Sophos)
W32.Spybot.Worm (Symantec)
Leave a comment