McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Netsky.A.worm (Panda)

Characteristics

This is a detection for a new nework worm spreading via EMail, sending itself to addresses found on the victim machine and by copying itself mapped network drives.

When executed, the worm copies itself into %windir% folder using the filename SERVICES.EXE. It addes a key to the registry, so it gets activated on system start.

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "service" =
  C:\WINNT\services.exe -serv

Network propagation:

The worm copies itself to various directories on the local system and on mapped network drives. The filenames are included in the worm and choosen randomly:

• doom2.doc.pif 
• sex sex sex sex.doc.exe
• rfc compilation.doc.exe
• dictionary.doc.exe 
• win longhorn.doc.exe   
• e.book.doc.exe 
• programming basics.doc.exe 
• how to hack.doc.exe
• max payne 2.crack.exe  
• e-book.archive.doc.exe 
• virii.scr  
• nero.7.exe 
• eminem - lick my pussy.mp3.pif 
• cool screensaver.scr   
• serial.txt.exe 
• office_crack.exe   
• hardcore porn.jpg.exe  
• angels.pif 
• porno.scr  
• matrix.scr 
• photoshop 9 crack.exe  
• strippoker.exe 
• dolly_buster.jpg.pif   
• winxp_crack.exe

Mail propagation:   

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• .msg
• .oft
• .sht
• .dbx
• .tbb
• .adb
• .doc
• .wab
• .asp
• .uin
• .rtf
• .vbs
• .html
• .htm
• .pl
• .php
• .txt
• .eml

The sender address is randomly taken from one of these addresses:

• auctions@msn.com
• auctions@yahoo.com
• responder@amazon.com
• responder@ebay.com
• responder@qxl.com
• responder@yahoo.com

Infected email may look like this:

The name of the email attachment if randomly selected from a hardcoded list of strings:

• prod_info_55761.rtf.exe
• prod_info_65642.rtf.scr
• prod_info_33543.rtf.scr
• prod_info_56474.txt.exe
• prod_info_33325.txt.exe
• prod_info_77256.txt.scr
• prod_info_34157.htm.exe
• prod_info_87968.htm.scr
• prod_info_43859.htm.scr
• prod_info_56780.doc.exe
• prod_info_43631.doc.exe
• prod_info_47532.doc.scr
• prod_info_54433.doc.exe
• prod_info_42314.pif
• prod_info_54235.scr
• prod_info_49146.exe
• prod_info_33967.cmd
• prod_info_42818.pif
• prod_info_54739.scr
• prod_info_04650.bat
• prod_info_49541.exe
• prod_info_33462.cmd
• prod_info_42313.pif
• prod_info_54234.scr
• prod_info_04155.bat

It can also spread in .ZIP attachments, in this case it uses one of the filenames mentioned above, creates a ZIP archive in the %windir% folder and attaches it to the mail. The generated ZIP files are not removed from the %windir% folder after the mail has been sent. The filesize of the ZIP attachments it between 21504 and 21648 bytes.

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects diretly to the MTA of the targeted domain and submitts the mail.

Symptoms

Method of Infection

This worm spreads by EMail and by copying itself to folders on the local harddrive as well as on mapped network drivers if available. It does not scan for open shares. 

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Netsky.A.worm (Panda)

Characteristics

Characteristics -

This is a detection for a new nework worm spreading via EMail, sending itself to addresses found on the victim machine and by copying itself mapped network drives.

When executed, the worm copies itself into %windir% folder using the filename SERVICES.EXE. It addes a key to the registry, so it gets activated on system start.

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "service" =
  C:\WINNT\services.exe -serv

Network propagation:

The worm copies itself to various directories on the local system and on mapped network drives. The filenames are included in the worm and choosen randomly:

• doom2.doc.pif 
• sex sex sex sex.doc.exe
• rfc compilation.doc.exe
• dictionary.doc.exe 
• win longhorn.doc.exe   
• e.book.doc.exe 
• programming basics.doc.exe 
• how to hack.doc.exe
• max payne 2.crack.exe  
• e-book.archive.doc.exe 
• virii.scr  
• nero.7.exe 
• eminem - lick my pussy.mp3.pif 
• cool screensaver.scr   
• serial.txt.exe 
• office_crack.exe   
• hardcore porn.jpg.exe  
• angels.pif 
• porno.scr  
• matrix.scr 
• photoshop 9 crack.exe  
• strippoker.exe 
• dolly_buster.jpg.pif   
• winxp_crack.exe

Mail propagation:   

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• .msg
• .oft
• .sht
• .dbx
• .tbb
• .adb
• .doc
• .wab
• .asp
• .uin
• .rtf
• .vbs
• .html
• .htm
• .pl
• .php
• .txt
• .eml

The sender address is randomly taken from one of these addresses:

• auctions@msn.com
• auctions@yahoo.com
• responder@amazon.com
• responder@ebay.com
• responder@qxl.com
• responder@yahoo.com

Infected email may look like this:

The name of the email attachment if randomly selected from a hardcoded list of strings:

• prod_info_55761.rtf.exe
• prod_info_65642.rtf.scr
• prod_info_33543.rtf.scr
• prod_info_56474.txt.exe
• prod_info_33325.txt.exe
• prod_info_77256.txt.scr
• prod_info_34157.htm.exe
• prod_info_87968.htm.scr
• prod_info_43859.htm.scr
• prod_info_56780.doc.exe
• prod_info_43631.doc.exe
• prod_info_47532.doc.scr
• prod_info_54433.doc.exe
• prod_info_42314.pif
• prod_info_54235.scr
• prod_info_49146.exe
• prod_info_33967.cmd
• prod_info_42818.pif
• prod_info_54739.scr
• prod_info_04650.bat
• prod_info_49541.exe
• prod_info_33462.cmd
• prod_info_42313.pif
• prod_info_54234.scr
• prod_info_04155.bat

It can also spread in .ZIP attachments, in this case it uses one of the filenames mentioned above, creates a ZIP archive in the %windir% folder and attaches it to the mail. The generated ZIP files are not removed from the %windir% folder after the mail has been sent. The filesize of the ZIP attachments it between 21504 and 21648 bytes.

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects diretly to the MTA of the targeted domain and submitts the mail.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

This worm spreads by EMail and by copying itself to folders on the local harddrive as well as on mapped network drivers if available. It does not scan for open shares. 

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A