W32.Netsky.Q@mm

Discussion in 'malware problems & news' started by Marianna, Mar 21, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Discovered on: March 21, 2004
    Last Updated on: March 21, 2004 01:57:08 PM

    W32.Netsky.Q@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The "sender" of the email is spoofed, and its subject line and message body of the email vary. The attachment name varies with .exe, .pif, .scr, or .zip file extension.

    The worm also trys to spread itself via varies file-sharing methods by copying itself into directories with enticing filename.

    This threat is compressed with FSG.




    --------------------------------------------------------------------------------
    Note:
    Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
    The worm executable has a static MD5 hash value of 0x0A9FFA57D65083C92E0D3D69B00F2F0D.

    --------------------------------------------------------------------------------


    Also Known As: W32/Netsky.p@MM [McAfee]

    Type: Worm

    When W32.Netsky.Q@mm runs, it does the following:


    Creates a mutex "_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_" to allow only one instance of the worm to execute.


    Copies itself as %Windir%\FXProtect.exe.


    --------------------------------------------------------------------------------
    Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
    --------------------------------------------------------------------------------


    Drops the following file:

    %Windir%\userconfig9x.dll

    This file is then loaded and executed by the worm. It has a static MD5 hash value of 0x3018E99857F31A59E0777396AE634A8F.

    Creates the following files:


    %Windir%\base64.tmp (40,520 bytes): MIME-encoded version of the executable
    %Windir%\zip1.tmp (40,882 bytes): MIME-encoded version of worm in zip archive
    %Windir%\zip2.tmp (40,894 bytes): MIME-encoded version of worm in zip archive
    %Windir%\zip3.tmp (40,886 bytes): MIME-encoded version of worm in zip archive
    %Windir%\zipped.tmp (29,834 bytes): Worm in zip archive


    Adds the value:

    "Norton Antivirus AV"="%Windir%\FVProtect.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.


    Deletes these values:

    Explorer
    system.
    msgsvr32
    winupd.exe
    direct.exe
    jijbl
    service
    Sentry

    from the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run


    Deletes the values:

    system.
    Video

    from the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices


    Deletes these values:

    Explorer
    au.exe
    direct.exe
    d3dupdate.exe
    OLE
    gouday.exe
    rate.exe
    Taskmon
    Windows Services Host
    sysmon.exe
    srate.exe
    ssate.exe
    winupd.exe

    from the registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    Deletes the following subkeys:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\PINF
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch
    HKEY_CLASSES_ROOT\CLSID\CLSID\
    {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32


    Retrieves email addresses from the files with these extensions on drives C to Z :

    .adb
    .asp
    .cgi
    .dbx
    .dhtm
    .doc
    .eml
    .htm
    .html
    .jsp
    .msg
    .oft
    .php
    .pl
    .rtf
    .sht
    .shtm
    .tbb
    .txt
    .uin
    .vbs
    .wab
    .wsh
    .xml


    Uses its own SMTP engine to send itself to the email addresses it finds.

    The email has the following characteristics:

    From: <Spoofed>

    Subject: The subject line is one of the following:

    Re: Encrypted Mail
    Re: Extended Mail
    Re: Status
    Re: Notify
    Re: SMTP Server
    Re: Mail Server
    Re: Delivery Server
    Re: Bad Request
    Re: Failure
    Re: Thank you for delivery
    Re: Test
    Re: Administration
    Re: Message Error
    Re: Error
    Re: Extended Mail System
    Re: Secure SMTP Message
    Re: Protected Mail Request
    Re: Protected Mail System
    Re: Protected Mail Delivery
    Re: Secure delivery
    Re: Delivery Protection
    Re: Mail Authentification


    The worm avoids sending to the email addresses that contain any of the following strings:

    "@microsof"
    "@antivi"
    "@symantec"
    "@spam"
    "@avp"
    "@f-secur"
    "@bitdefender"
    "@norman"
    "@mcafee"
    "@kaspersky"
    "@f-pro"
    "@norton"
    "@fbi"
    "abuse@"
    "@messagel"
    "@skynet"
    "@pandasof"
    "@freeav"
    "@sophos"
    "ntivir"
    "@viruslis"
    "noreply@"
    "spam@"
    "reports@"

    http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.q@mm.html
     
Thread Status:
Not open for further replies.