W32/NetSky.h@MM

Virus Information
Discovery Date: 03/05/2004
Origin: Unknown
Length: 22,528 bytes (PE-Pack)
Type: Virus
SubType: E-mail

A new variant of W32/Netsky@MM has been received which is detected and repaired as W32/Netsky.c@MM with the 4328 DATs and higher (with scanning of compressed files enabled).
This variant is very similar to W32/Netsky.g@MM .

This virus spreads via email. It sends itself to addresses found on the victim's machine. The virus also attempts to deactivate the various other viruses (variants of W32/Mydoom and W32/Bagle).

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system)


Subject:

Re: Hi
Re: Part 3
Re: Part 2
Re: Index
Re: Hello
Re: Yours
Re: Samples
Re: Your TAN
Re: Your PIN
Re: Your bill
Re: My details
Re: Your data
Re: Appending
Re: Your folder
Re: Your file
Re: Approved
Re: Document
Re: Your briefing
Re: Your picture
Re: Your loveletter
Re: Your details
Re: Zipped folder
Re: Secound Part
Re: Here the file
Re: Your application
Re: Your encrypted file
Body:

Your file is attached
Please read the attached file
Please have a look at the attached
See the attached file for details
Here is the file
Your document is attached.
Attachment:

yours.scr
your_pic.scr
document.scr
your_bill.scr
mp3music.scr
my_details.scr
your_file.scr
your_letter.scr
your_tan_33.scr
your_pin_88.scr
your_briefing.scr
your_details.scr
all_document.scr
application.scr
document_word.scr
document_excel.scr
document_4351.scr
your_picture.scr
message_part2.scr
your_smaples.scr
document_full.scr
your_document.scr
message_details.scr
your_picture.pif
The mailing component harvests address from the local system. Files with the following extensions are targeted:

.adb
html
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.oft
.php
.pl
.rtf
.sht
.shtm
.msg
.tbb
.txt
.uin
.vbs
.wab
It does not send itself to addresses that contain one of the following strings:

abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
skynet
spam
messagelabs
ymantec
antivi
icrosoft
iruslis
antivir
sophos
freeav
andasoftwa
The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

System changes
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename MAJA.EXE.

C:\WINNT\maja.exe (22,528 bytes)
Note: A valid file exists in the %Sysdir% directory.

A Registry key is created to load the worm at system start.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"Antivirus" = %WinDir%\maja.exe -antivirus service

http://vil.nai.com/vil/content/v_101077.htm