Virus Profile: W32/Netsky.c@MM

Virus Characteristics

-- Update Feb 26th 01:21 PST --
A new UPX packed sample of W32/Netsky.c@MM has been received. This sample is detected exactly as W32/Netsky.c@MM - however Compressed File scanning must be enabled.
--
-- Update Feb 25th 08:32 PST --
Due to an increase in prevalence, AVERT has raised the risk assessment of this threat to MEDIUM.
--

This virus spreads via email and mapped drives. It sends itself to addresses found on the victim's machine and by copying itself to folders on drives C: - Z:.  The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system)
Subject: / Body : (taken from the following list)

• <...>
• *lol*
• ;-)
• <09580985869gj>
• a crazy doc about you
• abuse?
• account?
• already?
• another pic, have fun! ... :->
• Antispam is turned off. See file!
• are you a photographer?
• are you a teacherin the picture?
• are you cranky?
• are you the naked one?
• are you the naked person!
• are you the one?
• attachi#
• Authentification required. Read the attachment!
• be mad?
• believe me
• best?
• bob the builder
• child or adult?
• child porn?
• classroom test of you?
• copyright?
• correct it!
• dear
• Delivery Failed
• denied!
• did you ask me for that?
• did you know from this document?
• did you know that?
• did you see her already?
• did you sent it to me?
• do not give up!
• do not open the attachment!
• do not show this anyone!
• do not use my document!
• do not use this creditcard!
• do not visit the pages on the list I sent!
• do you have an orgasm in the picture?
• do you have sex in the picture?
• do you have the bug also?
• do you have?
• do you know the thief?
• do you know this????
• do you think so?
• doc about me?
• doc?
• docs?
• does it belong to you?
• does it match?
• does it matter?
• drugs? ...
• error
• excellent!
• exception
• excuse me
• explain!
• fake?
• fast food...
• feel free to use it.
• File is bad.
• File is damaged.
• File is self-decryting.
• forgotten?
• from the chatter (my photo!)
• from your lover ;-)
• gonna?
• good morning
• good work!
• great job!
• great xxx!
• great!
• greetings
• hello
• help attached
• her.
• here is it.
• Here is it
• here is my advice.
• here is my photo!
• here is the $%%454$
• here is the <CENSORED />
• here is the document.
• here is the next one!
• here is yours!
• here, the cheats
• here, the introduction
• here, the serials
• hey
• hi
• how?
• i am desperate
• i am speachless about your document!
• I don't know your document!
• i don't think so.
• i don't want your xxx pics!
• i found that about you!
• i found this document about you.
• i have received this.
• I have your password!
• i hope thats not true!
• i know your document!
• i like your doc!
• i lost that
• i need you!
• i saw you last week!
• I 've found your bill!
• I wait for an answer!
• i wait for your comment about it.
• i want more...
• illegal st. of you?
• illegal...
• I'm back!
• important?
• important
• in your mind?
• incest?
• info
• information about you?
• instruct me about this!
• is that criminal?
• is that possible?
• is that the reality?
• is that true?
• is that your account?
• is that your attachment?
• is that your beast?
• is that your car?
• is that your cd?
• is that your creditcard?
• is that your domain?
• is that your family?
• is that your finger?
• is that your message?
• is that your name?
• is that your photo?
• is that your porn pic?
• is that your privacy?
• is that your slip?
• is that your TAN?
• is that your website?
• is that your wife?
• is that your work?
• is that yours?
• is the pic a fake?
• is this information about you?
• it's a secret!
• its me
• its private from me
• it's so similar as yours!
• i've found it about you
• kill him on the picture!
• kill the writer of this document!
• last chance!
• let it!
• lets talk about it!
• Login required! Read the attachment!
• lol
• love letter?
• man or women?
• meaning of that?
• message?
• Microsoft
• misc. and so on. see you!
• modifications?
• moin
• money?
• msg
• my advice....
• never!
• new patch is available!
• notice!
• notification
• oh
• ok...
• old photos about you?
• only encrypted!
• pages?
• personal message!
• picture?
• poor quality!
• possible?
• pretty pic about you?
• private?
• pwd?
• Question
• question
• Re: <5664ddff?$??§2>
• Re: does it?
• Re: excuse me
• Re: hello
• Re: hey
• Re: hi
• Re: important
• Re: information
• Re: Re: Re: Re:
• Re: unknown
• re:
• read it immediatelly
• read it immediately!
• read the details.
• really?
• reply
• report
• schoolfriend?
• see this!
• see your name!
• solve the problem!
• something about you!
• something for you
• something is going ...
• something is going wrong!
• something is not ok
• Status
• stolen
• stuff about you?
• such as yours?
• take it easy!
• take it
• tell me more about your document!
• test it
• that is interesting...
• that's a funny text.
• that's not the truth?
• thats wrong!
• the information is wrong!
• the truth?
• this file is bad!
• this is an attachment message!
• this is nothing for kids!
• time to fear?
• Transaction failed. Show the doc!
• trial?
• trust me
• try this patch!
• warning
• what do you think about it?
• what means that?
• what still?
• what?
• what's up?
• who?
• why should I?
• why?
• wrong calculation! (see the attachment!)
• xxx ?
• xxx about you?
• xxx service
• Yep
• yes.
• you are a bad writer
• you are bad
• You are infected. Read the details!
• you are naked in this document!
• you are sexy in this doc!
• you cannot hide yourself! (see photo)
• you earn money, see the attachment!
• you feel the same.
• you have a sexy body in the pic!
• you have done a mistake in the document!
• you have tried to steal!
• you look like an ape!
• you look like an rat?
• you won the rk!
• you?
• your account is expired!
• your are naked?
• your attachment? verify it.
• Your bill.
• your body?
• your design is not good!
• your document is not good
• your document is silly!
• your eyes?
• your face?
• your hero in the picture?
• your icq number?
• your job? (I found that!)
• your lie is going around the world!
• your name is wrong!
• your personal record?
• your photo is poor
• Your provider will be disabled!
• your TAN number?
• yours?

Attachment: The attachment may be either a ZIP (containing the worm) or an EXE, with either a single or double file extension.

The attachment filename varies (according to strings carried in the worm), for example:

• 454543403
• aboutyou
• associal
• attach2
• auction
• transfer
• bill
• birth
• card
• concert
• moonlight
• death
• details
• description
• creditcard
• dinner
• disco
• doc
• yours
• doc_ang
• jokes
• document
• final
• found
• freaky
• image
• incest
• information
• sexy
• injection
• intimate stuff
• letter
• location
• mail2
• mails
• masturbation
• material
• me
• message
• talk
• msg2
• music
• myaunt
• mydate
• naked1
• naked2
• news
• nomoney
• note
• nothing
• misc
• number_phone
• object
• old_photos
• part2
• party
• paypal
• pic
• attachment
• portmoney
• posting
• poster
• privacy
• id
• product
• class_photos
• ps
• ranking
• regards
• website
• more
• regid
• release
• response
• schock
• secrets
• sexual
• shower
• story
• stuff
• swimmingpool
• tear
• textfile
• topseller
• trash
• undefinied
• unfolds
• friend
• update
• violence
• visa
• warez
• webcam
• wife
• word_doc
• worker
• your_stuff

The file extension may be single or double, where the double extension is constructed from the following:

The first extension may be:

• .doc
• .htm
• .rtf
• .text

The last extension is one of the following:

• .com
• .exe
• .pif
• .scr

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• .adb
• .asp
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .oft
• .php
• .pl
• .rtf
• .sht
• .shtm
• .msg
• .tbb
• .txt
• .uin
• .vbs
• .wab

It does not send itself to addresses that contain one of the following strings:

• abuse
• fbi
• orton
• f-pro
• aspersky
• cafee
• orman
• itdefender
• f-secur
• avp
• spam
• ymantec
• antivi
• icrosoft

The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

System changes
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename WINLOGON.EXE.

• C:\WINNT\WINLOGON.EXE (25,353 bytes)

Note: A valid file exists in the Windows System directory.

A Registry key is created to load the worm at system start.

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run
  "ICQ Net" = %WinDir%\WINLOGON.EXE -stealth

Network propagation/Peer to Peer propagation  
The worm copies itself to directories containing the string shar on the local system and on mapped network drives. Filenames are carried within the worm, for example:

• 1000 Sex and more.rtf.exe
• 3D Studio Max 3dsmax.exe
• Adobe Photoshop 9 full.exe
• Adobe Premiere 9.exe
• Ahead Nero 7.exe
• Best Matrix Screensaver.scr
• Clone DVD 5.exe Magix Video Deluxe 4.exe
• Cracks & Warez Archive.exe
• Dark Angels.pif
• Dictionary English - France.doc.exe
• DivX 7.0 final.exe
• E-Book Archive.rtf.exe
• Full album.mp3.pif
• Gimp 1.5 Full with Key.exe
• How to hack.doc.exe Doom 3 Beta.exe
• IE58.1 full setup.exe
• Keygen 4 all appz.exe
• Lightwave SE Update.exe
• MS Service Pack 5.exe
• Microsoft Office 2003 Crack.exe
• Microsoft WinXP Crack.exe
• Norton Antivirus 2004.exe
• Opera.exe
• Partitionsmagic 9.0.exe
• Porno Screensaver.scr
• RFC Basics Full Edition.doc.exe
• Screensaver.scr
• Serials.txt.exe
• Smashing the stack.rtf.exe
• Star Office 8.exe
• Teen Porn 16.jpg.pif
• The Sims 3 crack.exe
• Ulead Keygen.exe
• Virii Sourcecode.scr
• Visual Studio Net Crack.exe ACDSee 9.exe
• Win Longhorn Beta.exe
• WinAmp 12 full.exe
• WinXP eBook.doc.exe Learn Programming.doc.exe
• Windows Sourcecode.doc.exe
• XXX hardcore pic.jpg.exe

For example, directories such as the following will be populated:

• C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS
• C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\STATIONERY

This will result in propagation via KaZaa, Bearshare, Limewire, and other P2P application that use shared folder names containing the words share or sharing. For example:

The filenames are included in the worm and chosen randomly.

Virus removal
The virus removes various Registry values.  Some of these are associated with other viruses, trojans, and applications (IPSentry Application , Keylog-Stawin trojan, W32/Bagle.a@MM, W32/Bagle.b@MM, W32/Deadhat.worm.b, W32/Mimail.t@MM, W32/Mydoom.a@MM, W32/Mydoom.b@MM, W32/Netsky.a@MM, W32/Netsky.b@MM).

The following registry key values are deleted:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "au.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "d3dupdate.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Explorer"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "KasperskyAv"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "OLE"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Taskmon"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "DELETE ME"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "Explorer"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "KasperskyAv"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "msgsvr32"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "Sentry"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "service"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "system."
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "Taskmon"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\RunServices "system."
• HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32