Virus Characteristics
A new variant of W32/Netsky@MM has been received which is detected and repaired as W32/Netsky.c@MM
with the 4328 DATs
and higher with scanning of compressed files enabled (W32/Netsky.gen@MM since the 4331 DATs).
This variant is very similar to W32/Netsky.f@MM
.
This virus spreads via email. It sends itself to addresses found on the victim's machine. The virus also attempts to deactivate the various other viruses (variants of W32/Mydoom and W32/Bagle).
Mail propagation
The virus may be received in an email message as follows:
From:
(forged address taken from infected system)
Subject:
- Re: Your website
- Re: Your product
- Re: Your letter
- Re: Your archive
- Re: Your text
- Re: Your bill
- Re: Your details
- Re: My details
- Re: Word file
- Re: Excel file
- Re: Details
- Re: Approved
- Re: Your software
- Re: Your music
- Re: Here
- Re: Re: Re: Your document
- Re: Hello
- Re: Hi
- Re: Re: Message
- Re: Your picture
- Re: Here is the document
- Re: Your document
- Re: Thanks!
- Re: Re: Thanks!
- Re: Re: Document
- Re: Document
Body:
- Your file is attached
- Please read the attached file
- Please have a look at the attached
- See the attached file for details
- Here is the file
- Your document is attached.
Attachment:
- your_website.pif
- your_product.pif
- your_letter.pif
- your_archive.pif
- your_text.pif
- your_bill.pif
- your_details.pif
- document_word.pif
- document_excel.pif
- my_details.pif
- all_document.pif
- application.pif
- mp3music.pif
- yours.pif
- document_4351.pif
- your_file.pif
- message_details.pif
- your_picture.pif
- document_full.pif
- message_part2.pif
- document.pif
- your_document.pif
Note: initial investigation indicates that the worm may email itself either as a binary or as a binary within a ZIP file. This will be updated when analysis is complete.
The mailing component harvests address from the local system. Files with the following extensions are targeted:
- .adb
- html
- .asp
- .cgi
- .dbx
- .dhtm
- .doc
- .eml
- .htm
- .oft
- .php
- .pl
- .rtf
- .sht
- .shtm
- .msg
- .tbb
- .txt
- .uin
- .vbs
- .wab
It does not send itself to addresses that contain one of the following strings:
- abuse
- fbi
- orton
- f-pro
- aspersky
- cafee
- orman
- itdefender
- f-secur
- avp
- skynet
- spam
- messagelabs
- ymantec
- antivi
- icrosoft
- iruslis
- antivir
- sophos
- freeav
- andasoftwa
The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.
System changes
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename AVGUARD.EXE.
- C:\WINNT\avguard.exe (27,648 bytes)
A Registry key is created to load the worm at system start.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"Special Firewall Service" = %WinDir%\avguard.exe -av service