F-Secure Virus Descriptions : Newbiero

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 Microsoft Diagnostic = %worm random EXE name%

Newbiero then deletes its original EXE file (from where it was run).

The worm also creates the MSSE.INI file in the Windows system directory and uses this file as an infection flag while spreading through the local area network.

To infect the local network the worm scans local network IP addresses and tries to connect to machines it finds by mapping the hard drives. If a successful connection occurs the worm copies itself the hard drive with the name:

 \WINDOWS\Start Menu\Programs\StartUp\mssg.exe

If Windows is installed in a directory with a different name, the infection procedure fails to spread the worm.

The backdoor routine provides remote control to:

 * download to the infected machine other EXE files and run them
 * run local EXE files
 * exit Windows, reboot the machine, logoff users
 * perform DoS (Denial of Service) attacks, thus the worm has DDoS ability
 * report RAS information from the affected machine (logins and passwords)

The worm tries to terminate the following firewalls:

 * Sygate Personal Firewall
 * Tiny Personal Firewall
 * ZoneAlarm Pro
 * ZoneAlarm

If the "c:\logging.ini" file contains any content the worm creates .log files where it writes different reports about its actions. Such .log files are:

 * c:\logs\misc.log
 * c:\logs\IPreport.log
 * c:\logs\ips.log
 * c:\logs\recived.log
 * c:\logs\yey.ini
 * c:\logs\scan.log
 * c:\logs\infections.log
 * c:\logs\servmsg.log
 * c:\logs\Fetchreport.log
 * c:\logs\opt.abc
 * c:\logs\abc.cba
 * c:\online.log

F-Secure Anti-Virus detects Newbiero worm with the latest updates.

[Analysis: Kaspersky Labs, 2002]