Classification

Category :

Malware

Type :

-

Aliases :

Neveg.C, I-Worm.Neveg.c, W32/Neveg.C

Summary

Neveg.C is a mass-mailing worm with Peer-to-Peer spreading capabilities.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Neveg.C arrives in email as a packed executable.

System Infection

When the worm's file is run, it copies itself as services.exe to Windows System folder and creates a startup key for this file in the Registry:

[HKLM\ Software\Microsoft\Windows\CurrentVersion\Run]
of
[HKCU\ Software\Microsoft\Windows\CurrentVersion\Run]

The key value name will be chosen from:

BuildLab
RegDone
ccApps
Microsoft Visual SourceSafe
TEXTCONV
FriendlyTypeName
.Prog
WMAudio

And it will point "%SystemDir%\ services.exe"

%SystemDir% represents the Windows System folder name, for example C:\Windows\System32 on Windows XP systems.

The icon for the program will look like this:

Email Propagation

Neveg.C scans the hard drive to collect email addresses of possible victims. Files with the following extensions are checked:

.xml
.xls
.wsh
.wab
.vbs
.uin
.txt
.tbb
.stm
.shtm
.sht
.rtf
.pl
.php
.oft
.ods
.nch
.msg
.mmf
.mht
.mdx
.mbx
.jsp
.html
.htm
.eml
.dhtm
.dbx
.cgi
.cfg
.asp
.adb

Neveg.C spreads itself in emails with the following attachment filenames:

office.exe
notes.exe
doom3demo.exe
resume.exe
files.exe
request.exe
info.exe
details.exe
result.exe
results.exe
install.exe
setup.exe
test.exe
google.exe
se_files.exe

Propagation Through Peer-to-Peer Clients

Neveg.C is capable of spreading to shared folders of Peer-to-Peer clients. It will look for folders with names containing strings from the following list:

shared files
shar
my shared folder
mule
morpheus
lime
kazaa
icq
http
htdocs
ftp
download
donkey
bear
upload

The worm copies itself there with the following names:

XXX hardcore images.exe
Windows Sourcecode update.doc.exe
Windown Longhorn Beta Leak.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Serials.txt.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Opera 8 New!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Office 2003 Crack, Working!.exe
Matrix 3 Revolution English Subtitles.exe
KAV 5.0.exe
Kaspersky Antivirus 5.0.exe
Ahead Nero 7.exe
Adobe Photoshop 9 full.exe
ACDSee 9.exe

The worm also tries to launch a DDoS attack against a series of websites, which apparently all belong to one German company.