1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Netweird Activity

System Infected: Trojan.Netweird Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Netweird activity on the infected machine.

Additional Information

Once executed, the Trojan creates the following files:
%UserProfile%\Application Data\msconfig.ini
%ProgramFiles%\Startup\Google.com.url
%UserProfile%\Application Data\[9 RANDOM DIGITS].exe
%SystemDrive%\{$[16 RANDOM DIGITS]$}\comhost.exe
%Temp%\[4 RANDOM DIGITS]
%UserProfile%\Application Data\Install\Host.exe

The Trojan then creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows COM Host" = "%SystemDrive%\{$[16 RANDOM DIGITS]$}\comhost.exe -rundll32 /SYSTEM32 \%System%\taskmgr.exe\" \"%ProgramFiles%\Microsoft\Windows\""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"NetWire" = "%UserProfile%\Application Data\Install\Host.exe"

It also creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "%SystemDrive%\{$[16 RANDOM DIGITS]$}\comhost.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Microsoft\Sysinternals\"PROCID" = "5728"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{[36 RANDOM CHARACTERS]}\"StubPath" = ""%UserProfile%\Application Data\Install\Host.eXe""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{[36 RANDOM CHARACTERS]}\"StubPath" = "\%UserProfile%\Application Data\Install\Host.eXe\"""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Spybotsd.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\"Debugger" = "nsjw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comhost.exe\"DisableExceptionChainValidation" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\"REG_DWORD" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\"Start" = "4"

The Trojan may then perform the following actions on the compromised computer:
Steal email credentials from Microsoft Outlook
Log keystrokes
Open a command shell
Perform distributed denial-of-service (DDoS) attacks
Turn the compromised computer into a Web proxy
Mine cryptocurrency

The Trojan may also steal passwords from the following Internet browsers:
Internet Explorer
Opera
Chrome
Firefox

Affected

  • Various platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube