McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

A new variant of W32/Netsky@MM has been received which is detected and repaired as W32/Netsky.c@MM with the 4328 DATs and higher (with scanning of compressed files enabled).

This virus spreads via email. It sends itself to addresses found on the victim's machine.  The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system)
Subject: Constructed from strings carried within the worm.

Note: initial investigation indicates that the worm may email itself either as a binary or as a binary within a ZIP file. This will be updated when analysis is complete.

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• .adb
• .asp
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .oft
• .php
• .pl
• .rtf
• .sht
• .shtm
• .msg
• .tbb
• .txt
• .uin
• .vbs
• .wab

It does not send itself to addresses that contain one of the following strings:

• abuse
• fbi
• orton
• f-pro
• aspersky
• cafee
• orman
• itdefender
• f-secur
• avp
• skynet
• spam
• messagelabs
• ymantec
• antivi
• icrosoft

The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

System changes
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename WINLOGON.EXE.

• C:\WINNT\WINLOGON.EXE (24,480 bytes)

Note: A valid file exists in the Windows System directory.

A Registry key is created to load the worm at system start.

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run
  "ICQ Net" = %WinDir%\WINLOGON.EXE -stealth

Virus removal
The virus removes various Registry values.  Some of these are associated with other viruses, trojans, and applications.

The following registry key values are deleted:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "au.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "d3dupdate.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Explorer"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "KasperskyAv"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "OLE"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Taskmon"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "DELETE ME"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "Explorer"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "KasperskyAv"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "msgsvr32"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "Sentry"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "service"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "system."
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "Taskmon"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\RunServices "system."
• HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Symptoms

Method of Infection

This worm spreads by email, constructing messages using its own SMTP engine. 

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

A new variant of W32/Netsky@MM has been received which is detected and repaired as W32/Netsky.c@MM with the 4328 DATs and higher (with scanning of compressed files enabled).

This virus spreads via email. It sends itself to addresses found on the victim's machine.  The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system)
Subject: Constructed from strings carried within the worm.

Note: initial investigation indicates that the worm may email itself either as a binary or as a binary within a ZIP file. This will be updated when analysis is complete.

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• .adb
• .asp
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .oft
• .php
• .pl
• .rtf
• .sht
• .shtm
• .msg
• .tbb
• .txt
• .uin
• .vbs
• .wab

It does not send itself to addresses that contain one of the following strings:

• abuse
• fbi
• orton
• f-pro
• aspersky
• cafee
• orman
• itdefender
• f-secur
• avp
• skynet
• spam
• messagelabs
• ymantec
• antivi
• icrosoft

The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

System changes
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename WINLOGON.EXE.

• C:\WINNT\WINLOGON.EXE (24,480 bytes)

Note: A valid file exists in the Windows System directory.

A Registry key is created to load the worm at system start.

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run
  "ICQ Net" = %WinDir%\WINLOGON.EXE -stealth

Virus removal
The virus removes various Registry values.  Some of these are associated with other viruses, trojans, and applications.

The following registry key values are deleted:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "au.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "d3dupdate.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Explorer"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "KasperskyAv"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "OLE"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Taskmon"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "DELETE ME"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "Explorer"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "KasperskyAv"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "msgsvr32"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "Sentry"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "service"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "system."
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "Taskmon"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\RunServices "system."
• HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Symptoms

Symptoms -

Method of Infection

Method of Infection -

This worm spreads by email, constructing messages using its own SMTP engine. 

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A