1. /
  2. Security Response/
  3. Trojan.Nurevil

Trojan.Nurevil

Risk Level 1: Very Low

Discovered:
June 27, 2013
Updated:
July 3, 2013 11:33:14 AM
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
This Trojan may be downloaded by Downloader.Nurevil.

When the Trojan is executed, it creates the following file:
%System%\crypt.dll

The Trojan then creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D26D304-3890-4ED7-9A8E-FBAC954440AE}\Version\"(Default)" = "1.0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D26D304-3890-4ED7-9A8E-FBAC954440AE}\TypeLib\"(Default)" = "{C8647D94-D767-4D5E-AE99-6FC65E52FBF9}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D26D304-3890-4ED7-9A8E-FBAC954440AE}\InprocServer32\"(Default)" = "%System%\crypt.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D26D304-3890-4ED7-9A8E-FBAC954440AE}\InprocServer32\"ThreadingModel" = "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D26D304-3890-4ED7-9A8E-FBAC954440AE}\"(Default)" = "HelloWorldBHO Class"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8D26D304-3890-4ED7-9A8E-FBAC954440AE}\"(Default)" = "HelloWorldBHO"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8D26D304-3890-4ED7-9A8E-FBAC954440AE}\"NoExplorer" = "1"

Note: The above registry entries registers the dropped DLL as a browser help object (BHO).

The Trojan monitors for access to the following websites:
  • www.itembay.com
  • www.itemmania.com
  • paypal.com

If access to the above sites is detected, it will then display adverts retrieved from the following IP address:
204.45.158.83
Writeup By: Jeet Morparia & Takayoshi Nakayama
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver