W32.Netsky.I@mm

Discussion in 'malware problems & news' started by Marianna, Mar 7, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Discovered on: March 07, 2004
    Last Updated on: March 07, 2004 12:32:01 PM

    W32.Netsky.I@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.

    The Subject, Body, and Attachment vary.




    --------------------------------------------------------------------------------
    Note: Rapid Release definitions with a sequence number of 28389 or higher will detect this threat.
    --------------------------------------------------------------------------------




    Type: Worm
    Infection Length: 22016

    When W32.Netsky.I@mm is executed, it performs the following actions:

    1. Creates a mutex named "KO[SkyNet.cz]SystemsMutex". This mutex allows only one instance of the worm to execute.

    2. Copies itself %Windir%\fooding.exe.




    --------------------------------------------------------------------------------
    Note: %Windir% is a variable. The W32.Netsky.I@mm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
    --------------------------------------------------------------------------------


    3. Adds the value:

    "Tiny AV"="%Windir%\fooding.exe -antivirus service"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

    4. Deletes the values:

    Taskmon
    Explorer
    Windows Services Host
    from the registry keys:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    --------------------------------------------------------------------------------
    Note: Some of these registry key values are typically associated with the worms W32.Mydoom.A@mm and W32.Mydoom.B@mm.
    --------------------------------------------------------------------------------

    5. Deletes the values:

    System.
    msgsvr32
    DELETE ME
    service
    Sentry
    from the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    6. Deletes the values:

    d3dupdate.exe
    au.exe
    OLE
    gouday.exe
    rate.exe
    sysmon.exe
    srate.exe
    ssate.exe
    sate.exe
    from the registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    7. Deletes the registry keys:

    HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch


    --------------------------------------------------------------------------------
    Note: The worms W32.Mydoom.A@mm and W32.Mydoom.B@mm add a value to the first key, so that explorer.exe loads their backdoor components.
    --------------------------------------------------------------------------------


    8. Scans the following file types on drives C through Z for email addresses:

    .dhtm
    .cgi
    .shtm
    .msg
    .oft
    .sht
    .dbx
    .tbb
    .adb
    .doc
    .wab
    .asp
    .uin
    .rtf
    .vbs
    .html
    .htm
    .pl
    .php
    .txt
    .eml

    9. Uses its own SMTP engine to send itself to the email addresses it found above, sending to each address once. The worm uses the local DNS server (retrieved via an API), if available, to perform an MX lookup for the recipient address. If the local DNS fails, it will perform the lookup from the following list of hard-coded servers:

    212.44.160.8
    195.185.185.195
    151.189.13.35
    213.191.74.19
    193.189.244.205
    145.253.2.171
    193.141.40.42
    194.25.2.134
    194.25.2.133
    194.25.2.132
    194.25.2.131
    193.193.158.10
    212.7.128.165
    212.7.128.162
    193.193.144.12
    217.5.97.137
    195.20.224.234
    194.25.2.130
    194.25.2.129
    212.185.252.136
    212.185.253.70
    212.185.252.73
    62.155.255.16

    10. The email has the following characteristics:
    Subject: (One of the following)

    Mail account expired
    Mail account closed
    Mail account deactivated

    Body: (One of the following)

    Your mail account expired. Please follow the link to reactivate.
    Your mail account has been closed. Click on the link for further details.
    Your mail account has been deactivated. To reactivate, follow the link.

    Attachment:

    http://www.yahoo.com/moobia/index.scr

    From:

    service@yahoo.com

    11: Avoids sending to email addresses that contain any of the following strings:

    iruslis
    antivir
    sophos
    freeav
    andasoftwa
    skynet
    messagelabs
    abuse
    fbi
    orton
    f-pro
    aspersky
    cafee
    orman
    itdefender
    f-secur
    avp
    spam
    ymantec
    antivi
    icrosoft

    http://www.symantec.com/avcenter/venc/data/w32.netsky.i@mm.html
     
Thread Status:
Not open for further replies.