Virus Profile: W32/Netsky.q@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 3/28/2004
Date Added: 3/28/2004
Origin: N/A
Length: 28,008 bytes
Type: Virus
Subtype: E-mail
DAT Required: 4345
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Methods of Infection

Aliases

I-Worm.NetSky.r (AVP), W32.Netsky.Q@mm, W32/BinNote.a@MM, W32/Netsky.Q.worm (Panda), WORM_NETSKY.Q (Trend)
   

Virus Characteristics

A new variant of W32/Netsky@MM has been received which spreads through email like its predecessors.  The main component is 28,008 bytes (Petite packed) long.

When run, the worm copies itself to the Windows directory as:

  • SysMonXP.exe

It creates the following files in the same directory:

  • c:\WINDOWS\base64.tmp
  • c:\WINDOWS\firewalllogger.txt
  • c:\WINDOWS\zipo0.txt  (Base64 encoded)
  • c:\WINDOWS\zipo1.txt  (Base64 encoded)
  • c:\WINDOWS\zipo2.txt  (Base64 encoded)
  • c:\WINDOWS\zipo3.txt  (Base64 encoded)
  • c:\WINDOWS\zippedbase64.tmp
  • c:\WINDOWS\sysmonxp.exe

Note:   Where the Base64 archives are different in binary.

The following registry keys are created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "SysMonXP" = Data: C:\WINDOWS\SysMonXP.exe

Note:   Where %WinDir% is the Windows directory.

Mail Propagation

The worm arrives as an email attachment.  The message content varies.  Some examples are as follows:

Subject:

  • Delivery Bot (%recipient email address %)
  • Server Error (%recipient email address %)
  • Deliver Mail (%recipient email address %)
  • Delivery Failed (%recipient email address %)
  • Unknown Exception (%recipient email address %)
  • Failed (%recipient email address %)
  • Failure (%recipient email address %)
  • Status (%recipient email address %)
  • Error (%recipient email address %)
  • Delivered Message (%recipient email address %)
  • Mail System (%recipient email address %)
  • Mail Delivery System (%recipient email address %)
  • Mail Delivery failure (%recipient email address %)
  • Delivery (%recipient email address %)
  • Delivery Failure (%recipient email address %)
  • Delivery Error (%recipient email address %)

Body:

  • Received message has been sent as a binary file.
  • Modified message has been sent as a binary attachment.
  • Received message has been sent as an encoded attachment.
  • Translated message has been attached.
  • Message has been sent as a binary attachment.
  • Received message has been attached.
  • Partial message is available and has been sent as a binary attachment.
  • The message has been sent as a binary attachment.
  • Delivery Agent - Translation failed
  • Delivery Failure - Invalid mail specification
  • Mail Delivery Failure - This mail couldn't be shown
  • Mail Delivery System - This mail contains binary characters
  • Mail Transaction Failed - This mail couldn't be converted
  • Mail Delivery Error - This mail contains unicode characters
  • Mail Delivery Failed - This mail couldn't be represented
  • Mail Delivery - This mail couldn't be displayed

The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems.

Attachment: (Part 1)

  • mail
  • msg
  • message
  • Note
  • data

(Part 2)

  • random numbers
  • nothing

(Part 3)

  • pif
  • eml .scr
  • zip

Denial Of Service

If the system time is between April 8th - April 11th, 2004, the worm launches a Denial of Service attack on the following web sites:

  • www.edonkey2000.com
  • www.kazaa.com
  • www.emule-project.net
  • www.cacks.am
  • www.cracks.st

If you think that you may be infected with Netsky.q, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

   

All Users
The 4345 DAT Files will detect and remove this threat.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Terminate the SYSMONXP.EXE process using Windows Task Manager.
  2. Delete the following files from your Windows directory (typically c:\windows or c:\winnt):
      1. SYSMONXP.EXE
      2. FIREWALLLOGGER.TXT
      3. BASE64.TMP
      4. ZIPO0.TXT
      5. ZIPO1.TXT
      6. ZIPO2.TXT
      7. ZIPO3.TXT
      8. ZIPPEDBASE64.TMP
  3. Delete the many copies of the worm dropped on the victim machine, with the enticing filenames as described above.
  4. Edit the registry
    • Delete the "SysMonX" value from
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Run
  5. Reboot the system

Additional Windows ME/XP removal considerations

McAfee Threatscan
ThreatScan signatures that can detect the W32/Netsky.q@MM virus are available from:

      -Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
      -Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan Signature version: 2004-03-29

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

      -       Select the "Remote Infection Detection" category and "Windows Virus Checks" template. -or-
      -       Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

      -       Run the "ThreatScan Template Report"
      -       Look for module number #4066