Wilders Security Forums  

Go Back   Wilders Security Forums > Other Security Topics > malware problems & news
Reload this Page W32.Netsky.Q@mm
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old March 21st, 2004, 06:54 PM
Marianna's Avatar
Marianna Marianna is offline
Spyware Fighter
  
Join Date: Apr 2002
Location: B.C. Canada
Posts: 1,215
Default W32.Netsky.Q@mm

Discovered on: March 21, 2004
Last Updated on: March 21, 2004 01:57:08 PM

W32.Netsky.Q@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The "sender" of the email is spoofed, and its subject line and message body of the email vary. The attachment name varies with .exe, .pif, .scr, or .zip file extension.

The worm also trys to spread itself via varies file-sharing methods by copying itself into directories with enticing filename.

This threat is compressed with FSG.




--------------------------------------------------------------------------------
Note:
Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
The worm executable has a static MD5 hash value of 0x0A9FFA57D65083C92E0D3D69B00F2F0D.

--------------------------------------------------------------------------------


Also Known As: W32/Netsky.p@MM [McAfee]

Type: Worm

When W32.Netsky.Q@mm runs, it does the following:


Creates a mutex "_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_" to allow only one instance of the worm to execute.


Copies itself as %Windir%\FXProtect.exe.


--------------------------------------------------------------------------------
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
--------------------------------------------------------------------------------


Drops the following file:

%Windir%\userconfig9x.dll

This file is then loaded and executed by the worm. It has a static MD5 hash value of 0x3018E99857F31A59E0777396AE634A8F.

Creates the following files:


%Windir%\base64.tmp (40,520 bytes): MIME-encoded version of the executable
%Windir%\zip1.tmp (40,882 bytes): MIME-encoded version of worm in zip archive
%Windir%\zip2.tmp (40,894 bytes): MIME-encoded version of worm in zip archive
%Windir%\zip3.tmp (40,886 bytes): MIME-encoded version of worm in zip archive
%Windir%\zipped.tmp (29,834 bytes): Worm in zip archive


Adds the value:

"Norton Antivirus AV"="%Windir%\FVProtect.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.


Deletes these values:

Explorer
system.
msgsvr32
winupd.exe
direct.exe
jijbl
service
Sentry

from the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run


Deletes the values:

system.
Video

from the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices


Deletes these values:

Explorer
au.exe
direct.exe
d3dupdate.exe
OLE
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe
winupd.exe

from the registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


Deletes the following subkeys:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\PINF
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch
HKEY_CLASSES_ROOT\CLSID\CLSID\
{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32


Retrieves email addresses from the files with these extensions on drives C to Z :

.adb
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.msg
.oft
.php
.pl
.rtf
.sht
.shtm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xml


Uses its own SMTP engine to send itself to the email addresses it finds.

The email has the following characteristics:

From: <Spoofed>

Subject: The subject line is one of the following:

Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification


The worm avoids sending to the email addresses that contain any of the following strings:

"@microsof"
"@antivi"
"@symantec"
"@spam"
"@avp"
"@f-secur"
"@bitdefender"
"@norman"
"@mcafee"
"@kaspersky"
"@f-pro"
"@norton"
"@fbi"
"abuse@"
"@messagel"
"@skynet"
"@pandasof"
"@freeav"
"@sophos"
"ntivir"
"@viruslis"
"noreply@"
"spam@"
"reports@"

http://securityresponse.symantec.com...tsky.q@mm.html
__________________
Microsoft MVP - Consumer Security 2006 - 2010
 

Wilders Security Forums > Other Security Topics > malware problems & news « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 03:28 PM.

Contact Us - SSL - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums