Virus Profile: W32/Netsky.f@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/3/2004
Date Added: 3/3/2004
Origin: Unknown
Length: 18,432 (PE Pack)
Type: Virus
Subtype: E-mail worm
DAT Required: 4328
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Existence of files and registry keys as mentioned above
  • Unexpected network traffic
  • Outgoing DNS queries to one of the following hard-coded IP addresses:
    • 145.253.2.171
    • 151.189.13.35
    • 193.141.40.42
    • 193.193.144.12
    • 193.193.158.10
    • 194.25.2.129
    • 194.25.2.130
    • 194.25.2.131
    • 194.25.2.132
    • 194.25.2.133
    • 194.25.2.134
    • 195.185.185.195
    • 195.20.224.234
    • 212.185.252.136
    • 212.185.252.73
    • 212.185.253.70
    • 212.44.160.8
    • 212.7.128.162
    • 212.7.128.165
    • 213.191.74.19
    • 217.5.97.137
    • 62.155.255.16

    • Methods of Infection

    This worm spreads by email, constructing messages using its own SMTP engine

    Aliases

    NetSky.f (F-Secure), W32.Netsky.f@MM (NAV)
       

    Virus Characteristics

    A new variant of W32/Netsky@MM has been received which is detected and repaired as W32/Netsky.c@MM with the 4328 DATs and higher (with scanning of compressed files enabled).

    This virus spreads via email. It sends itself to addresses found on the victim's machine.  The virus also attempts to deactivate the folloing viruses:

    • W32/Mydoom.a@MM
    • W32/Mydoom.b@MM
    • W32/Bagle.c@MM
    • W32/Bagle.e@MM
    • W32/Bagle.f@MM
    • W32/Bagle.g@MM
    • W32/Bagle.h@MM
    • W32/Bagle.i@MM

    Mail propagation
    The virus may be received in an email message as follows:

    From: (forged address taken from infected system)

    Subject: 

    • Re: Your website
    • Re: Your product
    • Re: Your letter
    • Re: Your archive
    • Re: Your text
    • Re: Your bill
    • Re: Your details
    • Re: My details
    • Re: Word file
    • Re: Excel file
    • Re: Details
    • Re: Approved
    • Re: Your software
    • Re: Your music
    • Re: Here
    • Re: Re: Re: Your document
    • Re: Hello
    • Re: Hi
    • Re: Re: Message
    • Re: Your picture
    • Re: Here is the document
    • Re: Your document
    • Re: Thanks!
    • Re: Re: Thanks!
    • Re: Re: Document
    • Re: Document

    Body:

    • Your file is attached
    • Please read the attached file
    • Please have a look at the attached
    • See the attached file for details
    • Here is the file
    • Your document is attached.

    Attachment:

    • your_website.pif
    • your_product.pif
    • your_letter.pif
    • your_archive.pif
    • your_text.pif
    • your_bill.pif
    • your_details.pif
    • document_word.pif
    • document_excel.pif
    • my_details.pif
    • all_document.pif
    • application.pif
    • mp3music.pif
    • yours.pif
    • document_4351.pif
    • your_file.pif
    • message_details.pif
    • your_picture.pif
    • document_full.pif
    • message_part2.pif
    • document.pif
    • your_document.pif

    Note: initial investigation indicates that the worm may email itself either as a binary or as a binary within a ZIP file. This will be updated when analysis is complete.

    The mailing component harvests address from the local system.  Files with the following extensions are targeted:

    • .adb
    • html
    • .asp
    • .cgi
    • .dbx
    • .dhtm
    • .doc
    • .eml
    • .htm
    • .oft
    • .php
    • .pl
    • .rtf
    • .sht
    • .shtm
    • .msg
    • .tbb
    • .txt
    • .uin
    • .vbs
    • .wab

  • It does not send itself to addresses that contain one of the following strings:

    • abuse
    • fbi
    • orton
    • f-pro
    • aspersky
    • cafee
    • orman
    • itdefender
    • f-secur
    • avp
    • skynet
    • spam
    • messagelabs
    • ymantec
    • antivi
    • icrosoft
    • iruslis
    • antivir
    • sophos
    • freeav
    • andasoftwa

    The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

    System changes
    The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename SVCHOST.EXE.

    • C:\WINNT\Svchost.exe (18,432 bytes)

    Note: A valid file exists in the %Sysdir% directory.

    A Registry key is created to load the worm at system start.

    •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run
      "Zone Labs Client Ex" = %WinDir%\Svchost.exe - antivirus service

    Virus removal
    The virus removes various Registry values.  Some of these are associated with other viruses, trojans, and applications.

    The following registry key values are deleted:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "au.exe"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "d3dupdate.exe"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "Explorer"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "KasperskyAv"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "OLE"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "Taskmon"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "rate.exe"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "sysmon.exe"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "gouday.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "DELETE ME"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "Explorer"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "KasperskyAv"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "msgsvr32"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "Sentry"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "service"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "system."
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "Taskmon"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\RunServices "system."
    • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

    •    

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations