Newbiero

Classification

Malware

Worm

W32

Newbiero, Worm.Newbiero, I-Worm.Newbiero

Summary

Newbiero is a worm virus spreading through local area networks. This worm has a backdoor routine that allows a 'master' (the person controlling the worm) to monitor infected machines. The worm itself is a Windows PE EXE file about 160Kb in size, written in Microsoft Visual C++.

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Community

Find the latest advice in our Community.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

When run the worm installs itself into the system, copies itself to the Windows system directory with a random name (for example, AGCMJL.EXE or CBICAR.EXE) and registers this file in the system registry auto-run key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
Microsoft Diagnostic = %worm random EXE name%

Newbiero then deletes its original EXE file (from where it was run).

The worm also creates the MSSE.INI file in the Windows system directory and uses this file as an infection flag while spreading through the local area network.

To infect the local network the worm scans local network IP addresses and tries to connect to machines it finds by mapping the hard drives. If a successful connection occurs the worm copies itself the hard drive with the name:

\WINDOWS\Start Menu\Programs\StartUp\mssg.exe

If Windows is installed in a directory with a different name, the infection procedure fails to spread the worm.

The backdoor routine provides remote control to:

* download to the infected machine other EXE files and run them
* run local EXE files
* exit Windows, reboot the machine, logoff users
* perform DoS (Denial of Service) attacks, thus the worm has DDoS ability
* report RAS information from the affected machine (logins and passwords)

The worm tries to terminate the following firewalls:

* Sygate Personal Firewall
* Tiny Personal Firewall
* ZoneAlarm Pro
* ZoneAlarm

If the "c:\logging.ini" file contains any content the worm creates .log files where it writes different reports about its actions. Such .log files are:

* c:\logs\misc.log
* c:\logs\IPreport.log
* c:\logs\ips.log
* c:\logs\recived.log
* c:\logs\yey.ini
* c:\logs\scan.log
* c:\logs\infections.log
* c:\logs\servmsg.log
* c:\logs\Fetchreport.log
* c:\logs\opt.abc
* c:\logs\abc.cba
* c:\online.log

F-Secure Anti-Virus detects Newbiero worm with the latest updates.