-- Update July 5th, 2004 --
The risk assessment of this threat has been upgraded to Medium due to it's prevalence.
|If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.
-- Update July 5th, 2004 --
The risk assessment of this threat has been upgraded to Low-Profiled due to media attention at:
This is a mass-mailing worm with the following characteristics:
- contains its own SMTP engine to construct outgoing messages
- harvests email addresses from the victim machine
- the From: address of messages is spoofed
- attachment can be a password-protected zip file, with the password included in the message body (as plaintext or within an image).
- contains a remote access component (notification is sent to hacker)
- copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
- uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines.
- the sample is packed with UPX runtime compressor.
Note: The worm carries its source code (assembler) in its body, encrypted. When mass-mailing itself, the worm may also include a copy of the source code (within a ZIP archive, SOURCES.ZIP). It is not unlikely therefore that we will see further trivial variants based on this source. Though various differences may be expected, the following parameters are most likely (easy) to be modified:
- port number used by backdoor
- backdoor password
- date of 'expiry'
The details are as follows:
From : (address is spoofed)
- Re: Msg reply
- Re: Hello
- Re: Yahoo!
- Re: Thank you!
- Re: Thanks :)
- RE: Text message
- Re: Document
- Incoming message
- Re: Incoming Message
- RE: Incoming Msg
- RE: Message Notify
- Fax Message
- Protected message
- RE: Protected message
- Forum notify
- Site changes
- Re: Hi
- Encrypted document,0
The following filenames are used:
using one the following extensions:
- Script dropper - using one of the following file extensions:
- Executable, using one of the following file extensions:
- Executable dropper, CPL file with .CPL file extension.
If the attachment is a ZIP file, the archive may be encrpyted (password protected). The password is contained in the message body (plaintext or image).
The virus copies itself into the Windows System directory as LOADER_NAME.EXE. For example:
It also creates copies of itself (with differing appended garbage) in this directory to perform its functions:
The following Registry key is added to hook system startup:
"reg_key " = "C:\WINNT\System32\loader_name.exe"
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
This worm attempts to terminate the processes of various security programs (and other worms).
The worm opens port 1234 (TCP) on the victim machine.