1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Trojan Nebuler Activity

HTTP Trojan Nebuler Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects activities of Trojan.Nebuler security risk which may download and execute files from remote sites.

Additional Information

Trojan.Nebuler is a Trojan horse that attempts to download and execute files from remote sites. It also sends information about the compromised computer to a remote site.

When Trojan.Nebuler is executed, it performs the following actions:

1. Drops an embedded DLL file to the following locations:

* %UserProfile%\Local Settings\Temp\cli[TWO RANDOM CHARACTERS].tmp
* %System%\win[THREE RANDOM CHARACTERS]32.dll

Notes:
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Creates the following files:

* %UserProfile%\Local Settings\Temp\win[TWO RANDOM CHARACTERS].tmp
* %UserProfile%\Local Settings\Temp\cli[TWO RANDOM CHARACTERS].bat

3. Injects %System%\win[THREE RANDOM CHARACTERS]32.dll into the Winlogon system process.

4. Terminates itself.

5. Creates the mutex named "m3d5rt10" so that only one instance of the threat is run on the compromised computer.

6. Creates an instance of iexplore.exe and injects a remote thread into the created instance.

7. Sends information about the compromised computer to the following sites:

* here4search.biz
* content.jdial.biz
* smart-security.biz

Note: Depending on the response received in the previous step, it may also download and execute files from these sites.

8. Creates the following registry subkey to store information about the compromised computer:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR

9. Creates the following registry key so that the Trojan is loaded every time windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win[THREE RANDOM CHARACTERS]32

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Find the Trojan file name.
2. Restart the computer using the Windows Recovery Console.
3. Disable System Restore (Windows Me/XP).
4. Update the virus definitions.
5. Run a full system scan.
6. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube