Content

W32/Netsky.i@MM

Type
Virus
SubType
Internet Worm
Discovery Date
03/07/2004
Length
22,016 Bytes (PE-Pack)
Minimum DAT
4333 (03/03/2004)
Updated DAT
4994 (03/28/2007)
Minimum Engine
5.1.00
Description Added
03/07/2004
Description Modified
03/30/2004 5:48 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

A new variant of W32/Netsky@MM has been received which is detected and repaired as W32/Netsky.c@MM with the 4328 DATs and higher (with scanning of compressed files enabled).

This variant is very similar to W32/Netsky.h@MM .

This virus spreads via email. It sends itself to addresses found on the victim's machine.  The virus also attempts to deactivate various other viruses (variants of W32/Mydoom and W32/Bagle).

Mail propagation
The virus may be received in an email message as follows:

From: service@(user's domain).com

Subject: 

  • Mail account expired
  • Mail account closed
  • Mail account deactivated

Body:

  • Your mail account expired. Please follow the link to reactivate.
  • Your mail account has been closed. Click on the link for further details.
  • Your mail account has been deactivated. To reactivate, follow the link.

Attachment:

  • The attachment name is as follows:

http://www.(user's domain).com/username/index.scr

Note:  This is a filename and is not a hyperlink.

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

  • .dhtm
  • .cgi
  • .shtm
  • .msg
  • .oft
  • .sht
  • .dbx
  • .tbb
  • .adb
  • .doc
  • .wab
  • .asp
  • .uin
  • .rtf
  • .vbs
  • .html
  • .htm
  • .pl
  • .php
  • .txt
  • .eml
  • .[]-
  • ._-\/

  • It does not send itself to addresses that contain one of the following strings:

    • abuse
    • fbi
    • orton
    • f-pro
    • aspersky
    • cafee
    • orman
    • itdefender
    • f-secur
    • avp
    • skynet
    • spam
    • messagelabs
    • ymantec
    • antivi
    • icrosoft
    • iruslis
    • antivir
    • sophos
    • freeav
    • andasoftwa

    The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

    System changes
    The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename FOODING.EXE.

    • C:\%WinDir%\fooding.exe (22,016 bytes)

    Note: A valid file exists in the %Sysdir% directory.

    A Registry key is created to load the worm at system start.

    •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run
      "Antivirus" = %WinDir%\fooding.exe -antivirus service

    • Symptoms

  • Existence of files and registry keys as mentioned above
  • Unexpected network traffic
  • Outgoing DNS queries to one of the following hard-coded IP addresses:
    • 212.44.160.8
    • 195.185.185.195
    • 151.189.13.35
    • 213.191.74.19
    • 193.189.244.205
    • 145.253.2.171
    • 193.141.40.42
    • 194.25.2.134
    • 194.25.2.133
    • 194.25.2.132
    • 194.25.2.131
    • 193.193.158.10
    • 212.7.128.165
    • 212.7.128.162
    • 193.193.144.12
    • 217.5.97.137
    • 195.20.224.234
    • 194.25.2.130
    • 194.25.2.129
    • 212.185.252.136
    • 212.185.253.70
    • 212.185.252.73
    • 62.155.255.16

    • Method of Infection

    This worm spreads by email, constructing messages using its own SMTP engine

    Removal

    All Users:
    Use specified engine and DAT files for detection.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    A new variant of W32/Netsky@MM has been received which is detected and repaired as W32/Netsky.c@MM with the 4328 DATs and higher (with scanning of compressed files enabled).

    This variant is very similar to W32/Netsky.h@MM .

    This virus spreads via email. It sends itself to addresses found on the victim's machine.  The virus also attempts to deactivate various other viruses (variants of W32/Mydoom and W32/Bagle).

    Mail propagation
    The virus may be received in an email message as follows:

    From: service@(user's domain).com

    Subject: 

    • Mail account expired
    • Mail account closed
    • Mail account deactivated

    Body:

    • Your mail account expired. Please follow the link to reactivate.
    • Your mail account has been closed. Click on the link for further details.
    • Your mail account has been deactivated. To reactivate, follow the link.

    Attachment:

    • The attachment name is as follows:

    http://www.(user's domain).com/username/index.scr

    Note:  This is a filename and is not a hyperlink.

    The mailing component harvests address from the local system.  Files with the following extensions are targeted:

    • .dhtm
    • .cgi
    • .shtm
    • .msg
    • .oft
    • .sht
    • .dbx
    • .tbb
    • .adb
    • .doc
    • .wab
    • .asp
    • .uin
    • .rtf
    • .vbs
    • .html
    • .htm
    • .pl
    • .php
    • .txt
    • .eml
    • .[]-
    • ._-\/

  • It does not send itself to addresses that contain one of the following strings:

    • abuse
    • fbi
    • orton
    • f-pro
    • aspersky
    • cafee
    • orman
    • itdefender
    • f-secur
    • avp
    • skynet
    • spam
    • messagelabs
    • ymantec
    • antivi
    • icrosoft
    • iruslis
    • antivir
    • sophos
    • freeav
    • andasoftwa

    The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

    System changes
    The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename FOODING.EXE.

    • C:\%WinDir%\fooding.exe (22,016 bytes)

    Note: A valid file exists in the %Sysdir% directory.

    A Registry key is created to load the worm at system start.

    •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run
      "Antivirus" = %WinDir%\fooding.exe -antivirus service

    • Symptoms

    Symptoms -

  • Existence of files and registry keys as mentioned above
  • Unexpected network traffic
  • Outgoing DNS queries to one of the following hard-coded IP addresses:
    • 212.44.160.8
    • 195.185.185.195
    • 151.189.13.35
    • 213.191.74.19
    • 193.189.244.205
    • 145.253.2.171
    • 193.141.40.42
    • 194.25.2.134
    • 194.25.2.133
    • 194.25.2.132
    • 194.25.2.131
    • 193.193.158.10
    • 212.7.128.165
    • 212.7.128.162
    • 193.193.144.12
    • 217.5.97.137
    • 195.20.224.234
    • 194.25.2.130
    • 194.25.2.129
    • 212.185.252.136
    • 212.185.253.70
    • 212.185.252.73
    • 62.155.255.16

    • Method of Infection

    Method of Infection -

    This worm spreads by email, constructing messages using its own SMTP engine

    Removal -

    Removal -

    All Users:
    Use specified engine and DAT files for detection.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A