HOME > VIRUS ALERTS


VIRUS ALERTS

Nethell Trojan

Original issue date: October 12, 2007
Updated: December 13, 2007

It has been observed that a Trojan known as Trojan.Nethell is circulating widely. Nethell Trojan, also known as TR/Drop.NetHell started spreading in April 2006. It uses key logging features to capture information from the infected system and sends the captured information to remote Systems and Websites under control of attacker. The captured information could be used for online fraud activities.

The Trojan also has the functionality to redirect and intercept Web traffic to further download and install other malware on the infected system which makes the System as Bot which could be used by the attacker to perform other malicious activities such as Denial of Service attacks, Spamming.


Aliases : Trojan-Dropper.Win32.Agent.ayg [Kaspersky], PWS-Banker.gen.ad [McAfee], Trojan.Nethell [Symantec], TR/Drop.NetHell.A [Avira]

Upon execution, the Trojan :

  • Creates the following files:
    • %System%\nethelper.xml
    • %System%\nethelper2.xml
    • %System%\commandhelper.xml
    • %System%\log.txt
    • %System%\Nethelper.dll
    • %System%\HookDll.dll.
  • Creates registry entries under the following
    registry subkeys:
    HKEY_CLASSES_ROOT\CLSID\(1593C741-C011-46FE-
    99FC-3805C28328BA)
    HKEY_CLASSES_ROOT\Interface\(54DCBD5A-3FDC-4
    90F-B9AE-5B9DBAA39BEC)
    HKEY_CLASSES_ROOT\NetHelper.HookHKEY_CLASSES_
    ROOT\NetHelper.Hook.1HKEY_CLASSES_ROOT\TypeLib
    \(0324D9F1-2199-4424-98C7-A0E8CC45743B)
  • Creates the following registry entries to ensure its
    execution at every system start up.
    "updater.exe" = "[RANDOM FILE NAME]"
    in the registry subkey:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run
    "FGID" = "[RANDOM FILE NAME]"
    in the registry subkey:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\InternetSettings
  • May download a file from a remote computer and save it as the following:
    %System%\file.exe__SYSTEM__64AD0625__
  • Allows an attacker to perform the following actions on the compromised computer:
    • Redirect and intercept Web traffic in order to steal login information and passwords
    • Modify the hosts file
    • Delete cookies
    • Download and execute files
    • Update and delete itself
    • Load new command files
  • creates /modifies files such as :

    %SYSTEM%\ aswwer.dll, %SYSTEM%\ bordsho.dll, SYSTEM%\ btaskv.dll, %SYSTEM%\ btasv.dll, %SYSTEM%\ bulgan.dll, %SYSTEM%\ bulrese.dll, %SYSTEM%\ c3224m.dll, %SYSTEM%\ c34m.dll , %SYSTEM%\ cimm.dll, %SYSTEM%\ co.dll, %SYSTEM%\ coman.dll, %SYSTEM%\ coman2.dll
    %SYSTEM%\ comi.dll, %system%\ comi2.dll, %SYSTEM%\ commert.dll, %system%\ cortals.dll, %SYSTEM%\ crim.dll, %SYSTEM%\ cunamei.dll, %SYSTEM%\ cupid1.dll, %system%\ down.dll , %SYSTEM%\ down1.dll, %SYSTEM%\ drive01.dll, %SYSTEM%\ ertw1.dll, %system%\ eurodol.dll, %SYSTEM%\ fertili.dll, %SYSTEM%\ geroez1.dll, %SYSTEM%\ gesy23.dll, %SYSTEM%\ gontas.dll, %SYSTEM%\ gyrpsy23.dll, %SYSTEM%\ helper.sys, %SYSTEM%\ kotiss.dll, %SYSTEM%\ mac.dll, %SYSTEM%\ mahars.dll, %SYSTEM%\ markoov123.dll, %SYSTEM%\ matahsw.dll, %SYSTEM%\ milis.dll, %SYSTEM%\ mioed.dll, %SYSTEM%\ mountr.dll, %SYSTEM%\ mstrans.dll, %SYSTEM%\ namesver.dll
    %system%\ nethelper.dll, %SYSTEM%\ parety.dll, %SYSTEM%\ q24m.dll, %SYSTEM%\ rem.dll, %SYSTEM%\ restorem.dll, %SYSTEM%\ rtywem.dll, %SYSTEM%\ smuhdd.dll, %SYSTEM%\ sockver1.dll, %SYSTEM%\ soert1.dll, %system%\ tochss.dll, %SYSTEM%\ torm.dll, %SYSTEM%\ torm1.dll, %SYSTEM%\ w1m.dll, %SYSTEM%\ weq24m.dll, %SYSTEM%\ wer2tm.dll

    ~.exe, 1.exe, 123.exe, a.exe, ahk.exe, all.exe, alon.exe, apdate.exe, b41ms.exe, btaskv.dll, calc.exe, callps.dll, commert.dll, cortals.dll, d.exe, dd.exe, demo.exe, dow.exe, nloader.exe, dwsvchost.exe, f.exe, fwujp.exe, helper.dll, hoexk.dll, isu.exe, jap.exe, java.exe,nmbliroh.htm.exe, kon.exe, lim.exe, limbo.exe, load.exe, markew.dll, mi.exe
    microsoft.exe, mstrans.dll, new.exe, nitr.exe, pr2.exe, prika.exe, promo.exe, qrhrtrwtr.exe, r.exe, restorem.dll, rwlapibqwy.exe, serv.exe, sockver2.dll, sours.dll, spup.exe, svhost.exe, syn.exe, system.exe, tr_de.exe, tvumbal.dll, up.exe, update.exe, updates2r.exe, us.exe,
    windowsupdate.exe, winpav.exe, winplays.exe,z4hfr3.exe, zoox1.dll, zzz.exe

In view of high damage potential of the Nethell Trojan, users are advised to implement the following countermeasures:

  • Delete/unregister Executables/DLLs used by the Trojan with the abovementioned names.
  • Delete the registry keys made by the Trojan as mentioned above.
  • Install and maintain updated anti-virus software at gateway and desktop level.
  • Install and maintain updated anti-spyware software at desktop level.
  • Keep up-to-date patches and fixes on the operating system
    and application software.
  • Keep up-to-date Antivirus and Antispyware signatures.
  • Exercise caution while opening unsolicited emails and do
    not click on a link embedded within.
  • In case your financial or personal information is compromised, immediately contact your financial institution/ Bank and report the same.

References

http://www.symantec.com/security_response/writeup.jsp?docid=2006-041915-4629-99&tabid=1
http://www.sophos.com/security/analyses/trojnethella.html/
http://research.sunbelt-software.com/threatdisplay.aspx?name=
Trojan.Nethell&threatid=55365

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003