Virus Profile: W32/Netsky.ag@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 10/13/2004
Date Added: 10/13/2004
Origin: Unknown
Length: 31,232 bytes (EXE)
approx 31kB (ZIP)
Type: Virus
Subtype: E-mail
DAT Required: 4399
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of the files and registry keys mentioned above. Unexpected network traffic.

Methods of Infection

This worm spreads by email and by copying itself to folders on the local harddrive as well as on mapped network drives if available. It does not scan for open shares.

Aliases

I-Worm.NetSky.b (AVP), W32.Netsky.AD@mm (Symantec), WORM_NETSKY.AF (Trend)
   

Virus Characteristics

-- Update February 3, 2005 --

The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
--

-- Update October 14th 2004 --
 Due to an increase in prevalence the risk assessment of this threat is being raised to Medium

--

This variant of W32/Netsky is very similar to previous variants. It bears the following characteristics:

  • constructs messages using its own SMTP engine
  • harvests email addresses from the victim machine
  • spoofs the From: address of messages

System Changes

When run, the worm displays a message box "File corrupted replace this!".

The worm installs itself on the victim machine as MsnMsgrs.exe in the Windows directory:

  • %WinDir%\MsnMsgrs.exe

The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\Run "MsnMsgr" = %WinDir%\MsnMsgrs.exe -alev

It copies itself to Windows directory as the following files:

  • Agradou.zip
  • agua!.zip
  • AIDS!.zip
  • aqui.zip
  • banco!.zip
  • bingos!.zip
  • botao.zip
  • brasil!.zip
  • carros!.zip
  • circular.zip
  • contas!!.zip
  • criancas!.zip
  • diga.zip
  • dinheiro!!.zip
  • docs.zip
  • email.zip
  • festa!!.zip
  • flipe.zip
  • grana!!.zip
  • grana.zip
  • imposto.zip
  • impressao!!.zip
  • jogo!.zip
  • lantrocidade.zip
  • LINUSTOR.zip
  • loterias.zip
  • lulao!.zip
  • massas!.zip
  • missao.zip
  • MsnMsgrs.exe
  • revista.zip
  • robos!.zip
  • sampa!!.zip
  • sorteado!!.zip
  • tetas.zip
  • vaca.zip
  • vadias!.zip
  • vips!.zip
  • Voce.zip
  • war3!.zip
  • Zerado.zip


Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

  • .adb
  • .asp
  • .dbx
  • .doc
  • .eml
  • .htm
  • .html
  • .php
  • .pl
  • .php
  • .rtf
  • .uin
  • .vbs
  • .wab
  • .oft
  • .sht
  • .tbb
  • .txt

Constructed messages bear the following characteristics:

From: This is spoofed (using harvested email addresses)
Subject: (One of the following)

  • 0123456789
  • Abra rapido isso!!!!
  • acrdito que em voce!!!
  • algo a mais
  • AmaVoce
  • amor me liga
  • AninhaPutinha +55operado6992292246
  • arquivo zipado PGP???
  • Boleto Pague
  • campanhadafome
  • encontro voce!
  • estou doente veja!!!
  • falea verdade!!!
  • ferias nos E.U.A
  • ganhe muita grana
  • gostaria disso e voce???
  • grana
  • Hackers do Brasil
  • Lembra?
  • me diz o queacha?
  • me veja peladinha
  • Medical Labs Exames!!!
  • meu telefone liga
  • olha que isso!!!
  • parabens!
  • PizzaVeneza!
  • Policia SP
  • pq nao me liga??
  • preenche ai ta bom
  • promocao de viajens de fim de ano
  • Proposta de emprego!!
  • receitas de bolo!!
  • retorna logo isso!!
  • reza de sao tome!!!!.
  • sinto voce!!
  • sua conta bancaria zerada
  • Sua Conta!!
  • Surto :(
  • te amo!
  • tudo sobre voce sabe
  • Vacina contra o HIV!!
  • ve ai logo ta
  • veja detalhes!!!.
  • veja o que tem no zip e me liga
  • voce passou :D!!!

Body: (One of the following)

  • PizzaVeneza!
  • preenche ai ta bom
  • encontro voce!
  • veja detalhes!!!.
  • reza de sao tome!!!!.
  • Abra rapido isso!!!!
  • AmaVoce
  • AMA!
  • ve ai logo ta
  • voce passou :D!!!
  • arquivo zipado PGP???
  • retorna logo isso!!
  • me diz o queacha?
  • estou doente veja!!!
  • Proposta de emprego!!
  • tudo sobre voce sabe
  • promocao de viajens de fim de ano
  • acrdito que em voce!!!
  • receitas de bolo!!
  • veja o que tem no zip e me liga
  • Boleto Pague
  • Sua Conta!!
  • Policia SP
  • te amo!
  • parabens!
  • olha que isso!!!
  • sua conta bancaria zerada
  • Vacina contra o HIV!!
  • Surto :(
  • ferias nos E.U.A
  • meu telefone liga
  • Medical Labs Exames!!!
  • Hackers do Brasil
  • amor me liga
  • Lembra?
  • grana
  • sinto voce!!
  • pq nao me liga??
  • vaca
  • campanhadafome
  • ganhe muita grana
  • falea verdade!!!
  • algo a mais
  • gostaria disso e voce???
  • me veja peladinha

Attachment: (One of the following)

  • agradou
  • agua!
  • AIDS!
  • banco!
  • bingos!
  • botao
  • brasil!
  • carros!
  • circular
  • contas!!
  • criancas!
  • dinheiro!!
  • email
  • festa!!
  • flipe
  • grana
  • grana!!
  • imposto
  • impressao!!
  • jogo!
  • lantrocidade
  • LINUSTOR
  • loterias
  • lulao!
  • massas!
  • missao
  • morto
  • pescaria por kilo
  • revista
  • robos!
  • sampa!!
  • sorteado!!
  • Sua saude esta bem?
  • tetas
  • vadias!
  • vips!
  • war3!
  • zerado

The following file extensions are used:

  • .pif
  • .com
  • .scr
  • .bat
  • .zip

Network propagation/Peer to Peer propagation

The worm copies itself to local folders containing string share or sharing , network shares and P2P shared folders.  It uses the following file names:

  • aninha gatinha!.zip.scr
  • barrio.scr
  • cafe!!.zip.scr
  • Canaval2004!.jpg.pif
  • Carnaval em Salvador!!.zip.scr
  • caspa.scr
  • celulares!!.zip.scr
   

All Users :
Please use the latest released engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Delete the following files from your WINDOWS directory (typically C:\Windows or C:\Winnt):
    MsnMsgrs.exe
  3. Edit the registry
    • Delete the "MsnMsgr" value from
      • HKEY_CURRENT_USER\Software\Microsoft\
        Windows\CurrentVersion\Run
  4. Reboot the system into Default Mode
  5. Manual deletion of the many copies of the worm that have been copied to local folders containing the strings share or sharing will then be required. For this, search for files whose filenames and size match the details listed above, and delete these files.

McAfee IntruShield
An IntruShield User-Defined Signature (UDS) has been created to detect this threat and is available for download at:
 
https://mysupport.nai.com/
Knowledgebase Article KB38001
 
Please note: The above knowledgebase article is password protected and requires you to log into Service Portal before accessing it.

Network General Sniffer
 A Network General Sniffer filter is available at http://www.networkgeneral.com/SnifferFilters_Details.aspx?Type=1