Worm.Win32.Neutrino

General Explanation

Type: Worm

Degree of destruction: high

Prevalence: high

What is the Worm?

Computer worms such as Neutrino are types of malware that can automatically reproduce themselves. For permanence, worms set ways to maintain infection in the system in every boot. The prominent feature of worms is their distribution method which is generally through portable drives and shared directories in the network.

What is Neutrino malware?

Neutrino malware provides a basis for bitcoin miners and Ransomware. The most important detected Ransomware in this way is Gand Crab malware.

This malware will run multiple bitcoin miner processes after the execution that will engage the system CPU and slows the OS.

Technical Explanation

One of the distribution methods of this malware is portable drive as such all victim’s existing files and portable drives will be transferred to a directory named “_” and copy a version of itself in this directory. In some of these malware examples and the path of portable drive, two files “deviceconfigmanager.vbs and autorun.inf” will be placed as well as an Ink file in every example in the path of portable drive. All files and directories except Ink file are hidden and system type. Hence, the only thing which can be seen in it is the Ink file which will be executed with a click, when you connect the portable drive to the system.

First, malware will provide a basis for its permanence and then acts like a bot and will connect to its server; based on the instructions it received from its server, it will provide a basis for the creation and execution of bitcoins. By executing bitcoins, the user’s system will extensively be slow that this is due to the too much use of CPU by the malware processes.

This malware is sensitive to several related processes to VMWare-VirtualBox-Citrix Xen Server it will end its execution if it runs on one of these Virtual machines.

Signs of infection 

Each of the following files can build into the victim’s system separately:

  • [SystemRoot]:\\Windows\\M-505059720970246082475082628448545\\winmgr.exe
  • [SystemRoot]:\\Windows\\M-505059720970246082475082628448545\\winsvc.exe
  • [SystemRoot]:\\Windows\\M-505059720970246082475082628448545\\winsvcs.exe
  • [SystemRoot]:\\Windows\\M-505059720970246082475082628448545\\winsecmgr.exe

The directory name from “M-” to the end of the phrase is random. In some examples, the name of the directory will begin by “T-“.

In the new observed examples the name of the directory is just a random collection of numbers and the letters “M-” and “T-” have been removed.

In the new examples that were recently analyzed, malware will deactivate system restore by changing registries.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore

ValueName = DisableSR

Generally, the malware process will be run by the following name:

winsvcs.exe-winsvc.exe-winmgr.exe-winsecmgr.exe

If the following names that their parental processes are not explorer.exe and services.exe, it can be observed in the current system processes that may be the system is infected to the bitcoin files which is downloaded from the infected malware.

“svchost.exe”,”notepad.exe”,”winmgr.exe”,”wuapp.exe”

The built-up registry path for malware permanence:

HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
ValueName = “Microsoft Windows Manager” OR “Microsoft Windows Service” OR “Microsoft Windows Services” OR “Microsoft Windows Updates” OR “Microsoft Windows Updates Manager” OR “Microsoft Windows Driver”
Data=%User Profile%\[RandomName]\winsvcs.exe
OR
[SystemRoot]:\Windows\]\[RandomName]\winsvcs.exe

In the new version of this malware in Windows 10, the malware will manipulate the registries related to Windows Defender. These changes may interfere with the Windows Defender function.

HKLM\Software\Policies\Microsoft\Windows‬‬ ‫‪Defender\Real-Time Protection

Value: DisableScanOnRealtimeEnable OR DisableOnAccessProtection OR DisableBehaviorMonitoring

This malware, also, infects the directories and share drives such as portable drives.

In the new versions of this malware, a massive volume of traffic will exist from port 5900 of the infected system. Malware tries to connect with a huge number of IPs from this port. Surveys show that some of these IPs belong to the malware server.

This malware continuously updating itself

How to deal with it and disinfect the system

By UMP capability that is a part of behavioral protection, Padvish can prevent the system from infection through a portable drive. Therefore, to prevent infection to all types of malware that transfer through portable drives such as Neutrino malware, it is recommended to install Padvish and prevent malware from entering and infecting the system.

If your system is infected with Neutrino malware, follow these steps:

  1. Install Padvish on your system
  2. Connect the infected portable drive to your system
  3. Scan the portable drive with Padvish to disinfect the drive and your infected system.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>