Category :


Type :


Aliases :

Newbiero, Worm.Newbiero, I-Worm.Newbiero


Newbiero is a worm virus spreading through local area networks. This worm has a backdoor routine that allows a 'master' (the person controlling the worm) to monitor infected machines. The worm itself is a Windows PE EXE file about 160Kb in size, written in Microsoft Visual C++.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When run the worm installs itself into the system, copies itself to the Windows system directory with a random name (for example, AGCMJL.EXE or CBICAR.EXE) and registers this file in the system registry auto-run key:

Microsoft Diagnostic = %worm random EXE name%

Newbiero then deletes its original EXE file (from where it was run).

The worm also creates the MSSE.INI file in the Windows system directory and uses this file as an infection flag while spreading through the local area network.

To infect the local network the worm scans local network IP addresses and tries to connect to machines it finds by mapping the hard drives. If a successful connection occurs the worm copies itself the hard drive with the name:

\WINDOWS\Start Menu\Programs\StartUp\mssg.exe

If Windows is installed in a directory with a different name, the infection procedure fails to spread the worm.

The backdoor routine provides remote control to:

* download to the infected machine other EXE files and run them
* run local EXE files
* exit Windows, reboot the machine, logoff users
* perform DoS (Denial of Service) attacks, thus the worm has DDoS ability
* report RAS information from the affected machine (logins and passwords)

The worm tries to terminate the following firewalls:

* Sygate Personal Firewall
* Tiny Personal Firewall
* ZoneAlarm Pro
* ZoneAlarm

If the "c:\logging.ini" file contains any content the worm creates .log files where it writes different reports about its actions. Such .log files are:

* c:\logs\misc.log
* c:\logs\IPreport.log
* c:\logs\ips.log
* c:\logs\recived.log
* c:\logs\yey.ini
* c:\logs\scan.log
* c:\logs\infections.log
* c:\logs\servmsg.log
* c:\logs\Fetchreport.log
* c:\logs\
* c:\logs\
* c:\online.log

F-Secure Anti-Virus detects Newbiero worm with the latest updates.