W32/Netsky-E

Aliases
W32/Netsky.c@MM

Type
Win32 worm

Description
W32/Netsky-E is a worm which spreads via shared networks and by emailing itself to addresses found within files located on local drives.
A detailed analysis of W32/Netsky-E will be published here shortly. Please check again later.

http://www.sophos.com/virusinfo/analyses/w32netskye.html

 

Virus Information
Discovery Date: 03/01/2004
Origin: Unknown
Length: 24,480 (Petite packed)
Type: Virus
SubType: E-mail worm

A new variant of W32/Netsky@MM has been received which is detected and repaired as W32/Netsky.c@MM with the 4328 DATs and higher (with scanning of compressed files enabled).

This virus spreads via email. It sends itself to addresses found on the victim's machine. The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system)
Subject: Constructed from strings carried within the worm.

Note: initial investigation indicates that the worm may email itself either as a binary or as a binary within a ZIP file. This will be updated when analysis is complete.

The mailing component harvests address from the local system. Files with the following extensions are targeted:

.adb
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.oft
.php
.pl
.rtf
.sht
.shtm
.msg
.tbb
.txt
.uin
.vbs
.wab
It does not send itself to addresses that contain one of the following strings:

abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
skynet
spam
messagelabs
ymantec
antivi
icrosoft
The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

System changes
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename WINLOGON.EXE.

C:\WINNT\WINLOGON.EXE (24,480 bytes)
Note: A valid file exists in the Windows System directory.

A Registry key is created to load the worm at system start.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"ICQ Net" = %WinDir%\WINLOGON.EXE -stealth
Virus removal
The virus removes various Registry values. Some of these are associated with other viruses, trojans, and applications.

The following registry key values are deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "au.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "d3dupdate.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Explorer"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "KasperskyAv"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "OLE"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Taskmon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "DELETE ME"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Explorer"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "KasperskyAv"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "msgsvr32"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Sentry"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "service"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "system."
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Taskmon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices "system."
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Symptoms

Existence of files and registry keys as mentioned above
Unexpected network traffic
Outgoing DNS queries to one of the following hard-coded IP addresses:
145.253.2.171
151.189.13.35
193.141.40.42
193.189.244.205
193.193.144.12
193.193.158.10
194.25.2.129
194.25.2.130
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
195.185.185.195
195.20.224.234
212.185.252.136
212.185.252.73
212.185.253.70
212.44.160.8
212.7.128.162
212.7.128.165
213.191.74.19
217.5.97.137
62.155.255.16

http://vil.nai.com/vil/content/v_101067.htm

 

WORM_NETSKY.D

WORM_NETSKY.D is another new variant of the NETSKY worm, and it is currently spreading in-the-wild. It is a memory-resident worm that propagates via email using its own SMTP (Simple Mail Transfer Protocol) engine. If the current computer system date is March 2, 2004 and the time is between 6am and 9am, the worm's payload causes the computer to generate beeping sounds. This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this worm drops a copy of itself as WINLOGON.EXE in the Windows folder. (Note: on Windows NT, 2000 and XP, there is an application named WINLOGON.EXE in the Windows System folder.) It then creates a mutex that checks for its existence on the system, and it creates a registry entry that allows it to automatically execute at every system startup. It also deletes several registry entries and keys that are added by other malware, such as variants of MYDOOM, MIMAIL, NETSKY, DEADHAT, BAGLE, NACHI, and PARITE.

This worm uses its own SMTP engine to propagate. It sends email using any of several specific "Subject:" lines, any of several specific "Message Body:" contents, and any of several specific "Attachment:" names (please view the full virus description for the list of Subjects, Message Body contents, and Attachments). It gathers target email addresses by searching all fixed drives in drives C through Z (except the CD-ROM drive) for files with the following extensions:

ADB
ASP
CGI
DBX
DHTM
DOC
EML
HTM
HTML
MSG
OFT
PHP
PL
RTF
SHT
SHTM
TBB
TXT
UIN
VBS
WAB

As it scans each of the above-mentioned files, the worm skips email addresses that contain the following text strings, in order to evade detection by security software associated with these strings:

"abuse"
"antivi"
"aspersky"
"avp"
"cafee"
"fbi"
"f-pro"
"f-secur"
"icrosoft"
"itdefender"
"orman"
"orton"
“skynet”
"spam"
"ymantec"

The malware searches for mail exchangers that match its preferences on each of the DNS servers, and uses them as SMTP servers.

The following text string is embedded within the malware's code:

be aware! Skynet.cz - -->AntiHacker Crew <--


If you would like to scan your computer for WORM_NETSKY.D or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_NETSKY.D is detected and cleaned by Trend Micro pattern file #794 and above.