Installation
Different samples of Win32/Neeris.gen!C install themselves in varying ways. They commonly copy themselves in %windir% or <system folder> and change the system registry so that they run every time Windows starts.
For example, one variant of this family copies itself to a subfolder of the Windows folder as VMwareService.exe and makes the following registry autostart change:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Sets value: "GON"
With data: "%windir%\system\VMwareService.exe"
Another variant of this worm might copy itself as the following file:
%windir%\system\netmon.exe
For this file name, it creates the following autostart registry entry:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "netmon"
With data: "%windir%\system\netmon.exe"
It might also create a copy with a two digit name and the .SCR extension like 21.scr.
Spreads Via...
MSN Messenger
Win32/Neeris.gen!C spreads by sending a copy of itself to all of a user's contacts in MSN Messenger. The attached copy is usually a ZIP archive containing the EXE copy of the worm.
Removable drives
This worm might also drop a copy of itself and a corresponding autorun.inf file into all available removable drives. The function of the autorun.inf file is to make sure that the worm automatically runs if you access the drive it's in from a PC that has the Autorun feature enabled.
File names of the dropped worm copy vary but might be like smartkey.exe.
SQL servers with weak passwords
This worm might also try to connect to SQL servers by trying to log in using commonly-used passwords. Once connected, it might instruct the server to download and run a copy of itself via TFTP.
Microsoft server service vulnerability - MS06-040
This worm might also send malformed packets to exploit a known vulnerability in the Server service resolved with the release of Microsoft Security Advisory MS06-040. Once connected to vulnerable PCs, it might download and run a copy of itself.
Microsoft server service vulnerability - MS08-067
This worm might open a random high numbered TCP port like 16349 or 30379. The worm then tries to connect to PCs across a network using TCP port 445 to exploit a known vulnerability in the Server service resolved with the release of Microsoft Security Bulletin MS08-067.
Once it's infected a PC, it asks the PC to download and run a copy of the worm using the opened TCP port (like 16349 or 30379). The worm copy is downloaded using HTTP (TCP port 80).
Payload
Bypass Windows Firewall
This worm might add itself as an authorized application by changing the Windows firewall policy stored in the registry.
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%windir%\system\netmon.exe"
With data: "%windir%\system\netmon.exe:*:microsoft enabled"
Lets a malicious hacker access your PC
Win32/Neeris.gen!C might connect to a predefined Internet Relay Channel (IRC) server using a specified port number like TCP port 6667 or 449. Once connected, it lets a malicious hacker access your PC.
Removes connection restrictions
Win32/Neeris.gen!C might drop the driver <system folder>\drivers\sysdrv32.sys which changes TCP/IP settings to remove connection throttling in Windows XP SP2 PCs.
Analysis by Jireh Sanico