Virus Profile: W32/Netsky.p@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 3/21/2004
Date Added: 3/21/2004
Origin: N/A
Length: 29,568 bytes (mailed)
26,624 bytes (dropped)
Type: Virus
Subtype: Internet Worm
DAT Required: 4340
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of the registry key and files mentioned above.

Methods of Infection

The worm spreads by SMTP mail and P2P network.

Aliases

W32.Netsky.Q@mm (Symantec), WORM_NETSKY.P (Trend)
   

Virus Characteristics

-- Update 27th August 09:25 UTC --
Current variants contain different email string contents.

-- Update 22nd March 06:20 PST --
Due to increased prevalence, this threat has had its risk assessment raised to MEDIUM.

If you think that you may be infected with Netsky.p, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

A new variant of W32/Netsky@MM has been received which spreads through email like its predecessors.  The main component is 29,568 bytes long, FSG packed.

When run, the worm copies itself to the Windows directory as:

  • FVProtect.exe

It creates the following files in the same directory:

  • userconfig9x.dll (26,624)
  • base64.tmp (UUEncoded worm)
  • zip1.tmp (UUEncoded of worm zip archive)
  • zip2.tmp (UUEncoded of worm zip archive)
  • zip3.tmp (UUEncoded of worm zip archive)
  • zipped.tmp (worm in zip archive)

Where the three zip archives are different in binary.

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Norton Antivirus AV" = %WinDir%\FVProtect.exe

Where %WinDir% is the Windows directory.

Mail Propagation

The worm sends mails using SMTP.  Email sent has the following characteristics:

From: (forged address taken from infected system)
Subject: (Taken from the following list)

  • Stolen document
  • Re:Hello
  • Mail Delivery ( failure sender address )
  • Private document
  • Re:Notify
  • Re:document
  • Re:Extended Mail System
  • Re:Proctected Mail System
  • Re:Question
  • Private document
  • Postcard
  • Re: Mail Authentification
  • Re: Delivery Protection
  • Re: Secure delivery
  • Re: Protected Mail Delivery
  • Re: Protected Mail System
  • Re: Protected Mail Request
  • Re: Secure SMTP Message
  • and others.

Body: (Taken from the following list)

  • I found this document about you.
  • I have attached it to this mail.
  • Waiting for authentification.
  • Please confirm!
  • Protected message is available
  • Do not visit this illegal websites!
  • Here is my phone number.
  • I cannot believe that.
  • Your file is attached.
  • For further details see that attachment.
  • Congratulations!, your best friend.
  • Greetings from france, your friend.
  • If the message will not displayed automatically, follow the link to read the delivered message.
    Received message is available at:
    (forged web link. )
  • Binary message is available.
  • Try this game ;-)
  • I found this document about you.
  • I have corrected your document.
    • You cannot do that!
  • and others.

The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems.

Attachment: (one of the following)

  • websites(random number).zip
  • document(random number).zip
  • your_document.zip
  • part(random number).zip
  • message.doc.scr
  • message.zip
  • document.zip
  • old_photos.txt.pif
  • postcard_.(random number)..zip
  • details(random number).zip
  • document05.zip
  • detail3.zip
  • attach.zip
  • your_document.zip
  • and others.

Where .zip file is the worm in a zip file.

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

  • .xml
  • .wsh
  • .jsp
  • .msg
  • .oft
  • .sht
  • .dbx
  • .tbb
  • .adb
  • .dhtm
  • .cgi
  • .shtm
  • .uin
  • .rtf
  • .vbs
  • .doc
  • .wab
  • .asp
  • .php
  • .txt
  • .eml
  • .html
  • .htm
  • .pl

The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

The virus will not mail itself to email addresses containing the following strings:

  • reports@
  • spam@
  • noreply@
  • @viruslis
  • ntivir
  • @sophos
  • @freeav
  • @pandasof
  • @skynet
  • @messagel
  • abuse@
  • @fbi
  • @norton
  • @f-pro
  • @kaspersky
  • @mcafee
  • @norman
  • @bitdefender
  • @f-secur
  • @avp
  • @spam
  • @symantec
  • @antivi
  • @microsof

P2P Propagation

The worm searches directories with the following strings:

  • shared files
  • kazaa
  • mule
  • donkey
  • morpheus
  • lime
  • bear
  • icq
  • shar
  • upload
  • http
  • htdocs
  • ftp
  • download
  • my shared folder

It copies itself to these directories using the following file names:

  • 1001 Sex and more.rtf.exe
  • 3D Studio Max 6 3dsmax.exe
  • ACDSee 10.exe
  • Adobe Photoshop 10 crack.exe
  • Adobe Photoshop 10 full.exe
  • Adobe Premiere 10.exe
  • Ahead Nero 8.exe
  • Altkins Diet.doc.exe
  • American Idol.doc.exe
  • Arnold Schwarzenegger.jpg.exe
  • Best Matrix Screensaver new.scr
  • Britney sex xxx.jpg.exe
  • Britney Spears and Eminem porn.jpg.exe
  • Britney Spears blowjob.jpg.exe
  • Britney Spears cumshot.jpg.exe
  • Britney Spears fuck.jpg.exe
  • Britney Spears full album.mp3.exe
  • Britney Spears porn.jpg.exe
  • Britney Spears Sexy archive.doc.exe
  • Britney Spears Song text archive.doc.exe
  • Britney Spears.jpg.exe
  • Britney Spears.mp3.exe
  • Clone DVD 6.exe
  • Cloning.doc.exe
  • Cracks & Warez Archiv.exe
  • Dark Angels new.pif
  • Dictionary English 2004 - France.doc.exe
  • DivX 8.0 final.exe
  • Doom 3 release 2.exe
  • E-Book Archive2.rtf.exe
  • Eminem blowjob.jpg.exe
  • Eminem full album.mp3.exe
  • Eminem Poster.jpg.exe
  • Eminem sex xxx.jpg.exe
  • Eminem Sexy archive.doc.exe
  • Eminem Song text archive.doc.exe
  • Eminem Spears porn.jpg.exe
  • Eminem.mp3.exe
  • Full album all.mp3.pif
  • Gimp 1.8 Full with Key.exe
  • Harry Potter 1-6 book.txt.exe
  • Harry Potter 5.mpg.exe
  • Harry Potter all e.book.doc.exe
  • Harry Potter e book.doc.exe
  • Harry Potter game.exe
  • Harry Potter.doc.exe
  • How to hack new.doc.exe
  • Internet Explorer 9 setup.exe
  • Kazaa Lite 4.0 new.exe
  • Kazaa new.exe
  • Keygen 4 all new.exe
  • Learn Programming 2004.doc.exe
  • Lightwave 9 Update.exe
  • Magix Video Deluxe 5 beta.exe
  • Matrix.mpg.exe
  • Microsoft Office 2003 Crack best.exe
  • Microsoft WinXP Crack full.exe
  • MS Service Pack 6.exe
  • netsky source code.scr
  • Norton Antivirus 2005 beta.exe
  • Opera 11.exe
  • Partitionsmagic 10 beta.exe
  • Porno Screensaver britney.scr
  • RFC compilation.doc.exe
  • Ringtones.doc.exe
  • Ringtones.mp3.exe
  • Saddam Hussein.jpg.exe
  • Screensaver2.scr
  • Serials edition.txt.exe
  • Smashing the stack full.rtf.exe
  • Star Office 9.exe
  • Teen Porn 15.jpg.pif
  • The Sims 4 beta.exe
  • Ulead Keygen 2004.exe
  • Visual Studio Net Crack all.exe
  • Win Longhorn re.exe
  • WinAmp 13 full.exe
  • Windows 2000 Sourcecode.doc.exe
  • Windows 2003 crack.exe
  • Windows XP crack.exe
  • WinXP eBook newest.doc.exe
  • XXX hardcore pics.jpg.exe

   

All Users
Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Terminate the FVPROTECT.EXE process using Windows Task Manager.
  2. Delete the following files from your Windows directory (typically c:\windows or c:\winnt):
      1. FVPROTECT.EXE 
      2. USERCONFIG9X.DLL
      3. BASE64.TMP
      4. ZIP1.TMP
      5. ZIP2.TMP
      6. ZIP3.TMP
      7. ZIPPED.TMP
  3. Delete the many copies of the worm dropped on the victim machine, with the enticing filenames as described above.
     
  4. Edit the registry
    • Delete the "Norton Antivirus AV" value from
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Run
  5. Reboot the system

Additional Windows ME/XP removal considerations

McAfee Threatscan
ThreatScan signatures that can detect the W32/Netsky.p@MM virus are available from:

ThreatScan Signature version:  2004-03-22
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

  • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

-or-

  • Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:
Run the "ThreatScan Template Report"
Look for module number #4066

Sniffer Distributed, Sniffer Portable and Netasyst Capture Recommendation:

Due to changing offset for Subject, Mail From, and attachments in the emails sent by this virus, and as it is not a network-aware worm, we cannot create a Sniffer filter for this virus.

Recommendation for customers:

  1. Create a capture profile with Capture on only SMTP traffic.
  2. Analyze the traffic for Subject, Mail To, and Attachments in the Decode mentioned in http://vil.nai.com/vil/content/v_101119.htm to identify if there is a virus propagating from specific IP's.