Virus Profile: W32/Netsky.ac@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/2/2004
Date Added: 5/5/2004
Origin: Unknown
Length: 36,864 Bytes
Type: Virus
Subtype: E-mail worm
DAT Required: 4358
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Outgoing DNS queries to one of the following hard-coded IP addresses:

    • 212.44.160.8
    • 195.185.185.195
    • 151.189.13.35
    • 213.191.74.19
    • 193.189.244.205
    • 145.253.2.171
    • 193.141.40.42
    • 193.193.144.12
    • 217.5.97.137
    • 195.20.224.234
    • 194.25.2.130
    • 194.25.2.129
    • 212.185.252.136
    • 212.185.253.70
    • 212.185.252.73
    • 62.155.255.16
    • 194.25.2.134
    • 194.25.2.133
    • 194.25.2.132
    • 194.25.2.131
    • 193.193.158.10
    • 212.7.128.165
    • 212.7.128.162

  • Existence of the files and Registry keys detailed above

Methods of Infection

This worm spreads by email, constructing messages using its own SMTP engine
   

Virus Characteristics

This detection is for a new variant of W32/Netsky. It bears the following characteristics:

  • harvests email addresses from the victim machine
  • contains its own SMTP engine to construct outgoing messages
  • emails arrives as a CPL extension attachment
  • spoofs the From: address

Mail Propagation

The virus harvests email addresses from files on the victim machine with the following extensions:

  • .ppt
  • .nch
  • .mmf
  • .mht
  • .xml
  • .wsh
  • .jsp
  • .xls
  • .stm
  • .ods
  • .msg
  • .oft
  • .sht
  • .html
  • .htm
  • .pl
  • .dbx
  • .tbb
  • .adb
  • .dhtm
  • .cgi
  • .shtm
  • .uin
  • .rtf
  • .vbs
  • .doc
  • .wab
  • .asp
  • .mdx
  • .mbx
  • .cfg
  • .php
  • .txt
  • .eml

Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:

Attachment: (CPL extensions with one of the following filenames)

Fix_MSBlast.B_(%random digits% ) .cpl
Fix_Mydoom.F_(%random digits% ) .cpl
Fix_Bagle.AB_(%random digits% ) .cpl
Fix_Sasser.B_(%random digits% ) .cpl
Fix_NetSky.AB_(%random digits% ) .cpl

From: spoofed (using any of the following addresses):

  • support@sophos.com
  • support@norman.com
  • support@nai.com
  • support@symantec.com


Subject:

  • Escalation

Message Body:

Dear user of , %Domain Name %


We have received several abuses:

 - Hundreds of infected e-Mails have been sent
   from your mail account by the new Bagle.AB worm
 - Spam email has been relayed by the backdoor
   that the virus has created

The malicious file uses your mail account to distribute
itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm
is spreading rapidly around the world now
and it is a serios new threat that hits users.

Due to this, we are providing you to remove the
infection on your computer and to
stop the spreading of the malware with a
special desinfection tool attached to this mail.

If you have problems with the virus removal file,
please contact our support team at %From Address %
Note that we do not accept html email messages.


%Research Team %
Attach: (any of the CPL filenames listed as above)

Where :

%Domain Name% = The domain name from harvested email addresses from files listed above.

%From Address% = The email address in the 'From' field.

%Research Team% = Can be any one of the following:

  • Sophos AntiVirus Research Team
  • Norman AntiVirus Research Team
  • MCAfee AntiVirus Research Team
  • Norton AntiVirus Research Team

The virus contains 2 componets: 

  • CPL file - Dropper component - (36, 864 bytes)
  • EXE file - The actual worm itself - (18,432 bytes)

The dropper component is copied on the victim machine as COMP.CPL:

  • %WinDir%\COMP.CPL

The worm component is copied on the victims machine as WSERVER.EXE:

  •  %WinDir%\WSERVER.EXE

(%WinDir% = Windows directory, such as c:\windows or c:\winnt)

The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "wserver" =  %WinDir%\wserver.exe

The virus avoids sending itself to addresses whci hcontain the following strings:

  • iruslis
  • antivir
  • sophos
  • freeav
  • andasoftwa
  • skynet
  • messagelabs
  • abuse
  • fbi
  • orton
  • f-pro
  • aspersky
  • cafee
  • orman
  • itdefender
  • f-secur
  • avp
  • spam
  • ymantec
  • antivi
  • icrosoft