SecurityOrb.com Security Advisory

New malware is popping up all the time, here is another one titled "Trojan.Neprodoor!inf". Information on it can be found below:

Trojan.Neprodoor!inf
Risk Level 1: Very Low

Discovered: March 2, 2009
Updated: March 2, 2009 8:02:14 PM
Type: Trojan
Infection Length: 213, 120 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Trojan.Neprodoor!inf is a detection for infected ndis.sys driver files.

Protection

* Initial Rapid Release version March 2, 2009 revision 032
* Latest Rapid Release version March 2, 2009 revision 032
* Initial Daily Certified version March 2, 2009 revision 035
* Latest Daily Certified version March 2, 2009 revision 035
* Initial Weekly Certified release date March 4, 2009

Threat Assessment
Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy

Damage

* Damage Level: Low

Distribution

• Distribution Level: Low

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Once the infected driver file executes, it will inject a malicious thread into services.exe process.

The injected malicious thread then creates the following mutex so only one instance of the back door is running:
CTR.[16 HEXADECIMAL DIGITS]

Then the infected driver file may modify the following registry entries:

* HKEY_LOCAL_MACHINE\Software\AGProtect\"Cfg" = "[BINARY DATA]"
* HKEY_CURRENT_USER\Software\AGProtect\"Cfg" = "[BINARY DATA]"



Next, it will attempt to establish a TCP connection with one of the following hosts using port 80:

* 208.43.137.123
* 218.61.7.9
* 218.61.33.117
* 221.12.89.137
* 222.138.109.32
* 222.186.12.227



It uses an encrypted custom protocol to communicate with the remot servers to perform any of the following actions:

* Provide confidential information about the compromised computer.
* Download and execute binary files sent by the remote attacker
* May act as a TCP proxy


The infected driver file includes the functionality to protect the infected ndis.sys from being overwritten. It also presents a non-infected image of ndis.sys to applications that attempt to read the infected file.