F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Neveg.C

[Summary] | [Detailed Description] | [Detection]



NAME:Neveg.C
ALIAS:I-Worm.Neveg.c, W32/Neveg.C

Summary

Neveg.C is a mass-mailing worm with Peer-to-Peer spreading capabilities.

Detailed Description

Neveg.C arrives in email as a packed executable.

System Infection

When the worm's file is run, it copies itself as services.exe to Windows System folder and creates a startup key for this file in the Registry: 

 [HKLM\ Software\Microsoft\Windows\CurrentVersion\Run]


 of


 [HKCU\ Software\Microsoft\Windows\CurrentVersion\Run]

The key value name will be chosen from: 

 BuildLab
 RegDone
 ccApps
 Microsoft Visual SourceSafe
 TEXTCONV
 FriendlyTypeName
 .Prog
 WMAudio

And it will point "%SystemDir%\ services.exe"

%SystemDir% represents the Windows System folder name, for example C:\Windows\System32 on Windows XP systems.

The icon for the program will look like this:

Email Propagation

Neveg.C scans the hard drive to collect e-mail addresses of possible victims. Files with the following extensions are checked: 

 .xml
 .xls
 .wsh
 .wab
 .vbs
 .uin
 .txt
 .tbb
 .stm
 .shtm
 .sht
 .rtf
 .pl
 .php
 .oft
 .ods
 .nch
 .msg
 .mmf
 .mht
 .mdx
 .mbx
 .jsp
 .html
 .htm
 .eml
 .dhtm
 .dbx
 .cgi
 .cfg
 .asp
 .adb

Neveg.C spreads itself in e-mails with the following attachment filenames: 

 office.exe
 notes.exe
 doom3demo.exe
 resume.exe
 files.exe
 request.exe
 info.exe
 details.exe
 result.exe
 results.exe
 install.exe
 setup.exe
 test.exe
 google.exe
 se_files.exe

Propagation Through Peer-to-Peer Clients

Neveg.C is capable of spreading to shared folders of Peer-to-Peer clients. It will look for folders with names containing strings from the following list: 

 shared files
 shar
 my shared folder
 mule
 morpheus
 lime
 kazaa
 icq
 http
 htdocs
 ftp
 download
 donkey
 bear
 upload

The worm copies itself there with the following names: 

 XXX hardcore images.exe
 Windows Sourcecode update.doc.exe
 Windown Longhorn Beta Leak.exe
 WinAmp 6 New!.exe
 WinAmp 5 Pro Keygen Crack Update.exe
 Serials.txt.exe
 Porno, sex, oral, anal cool, awesome!!.exe
 Porno Screensaver.scr
 Porno pics arhive, xxx.exe
 Opera 8 New!.exe
 Microsoft Windows XP, WinXP Crack, working Keygen.exe
 Microsoft Office XP working Crack, Keygen.exe
 Microsoft Office 2003 Crack, Working!.exe
 Matrix 3 Revolution English Subtitles.exe
 KAV 5.0.exe
 Kaspersky Antivirus 5.0.exe
 Ahead Nero 7.exe
 Adobe Photoshop 9 full.exe
 ACDSee 9.exe

The worm also tries to launch a DDoS attack against a series of websites, which apparently all belong to one German company.


Back to the Top


Detection

F-Secure Anti-Virus detects Neveg.C starting from the following update:

[FSAV_Database_Version]

Version=2004-08-17_01

Back to the Top


Writeup: Ero Carrera, August 17th, 2004;

F-Secure Corporation