Content

W32/Netsky.j@MM

Type
Virus
SubType
E-mail worm
Discovery Date
03/08/2004
Length
22,016 bytes (tElock Packed)
Minimum DAT
4335 (03/08/2004)
Updated DAT
4994 (03/28/2007)
Minimum Engine
5.1.00
Description Added
03/08/2004
Description Modified
08/16/2004 12:47 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update August 16th, 2004 --
 The risk assessment of this threat has been lowered to Low-Profiled due to decreased prevalence.
--

-- Update March 8, 2004 1:40pm PDT --
 The risk assessment of this threat was raised due to an increase in prevalence.

If you think that you may be infected with Netsky.j, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This is a repackaged version of W32/Netsky.d@MM .

This virus spreads via email. It sends itself to addresses found on the victim's machine.  The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system)
Subject: Taken from the following list:

  • Re: Hello
  • Re: Hi
  • Re: Thanks!
  • Re: Document
  • Re: Message
  • Re: Here
  • Re: Details
  • Re: Your details
  • Re: Approved
  • Re: Your document
  • Re: Your text
  • Re: Excel file
  • Re: Word file
  • Re: My details
  • Re: Your music
  • Re: Your bill
  • Re: Your letter
  • Re: Document
  • Re: Your website
  • Re: Your product
  • Re: Your document
  • Re: Your software
  • Re: Your archive
  • Re: Your picture
  • Re: Here is the document

Body: Taken from the following list:

  • Here is the file.
  • Your file is attached.
  • Your document is attached.
  • Please read the attached file.
  • Please have a look at the attached file.
  • See the attached file for details.

Attachment: filename taken from strings within worm, with a .PIF extension:

  • yours.pif
  • your_text.pif
  • your_bill.pif
  • mp3music.pif
  • document.pif
  • my_details.pif
  • your_file.pif
  • your_website.pif
  • your_product.pif
  • your_letter.pif
  • your_archive.pif
  • your_details.pif
  • document_word.pif
  • all_document.pif
  • application.pif
  • your_picture.pif
  • document_excel.pif
  • document_4351.pif
  • document_full.pif
  • message_part2.pif
  • your_document.pif
  • message_details.pif

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

  • .adb
  • .asp
  • .cgi
  • .dbx
  • .dhtm
  • .doc
  • .eml
  • .htm
  • .oft
  • .php
  • .pl
  • .rtf
  • .sht
  • .shtm
  • .msg
  • .tbb
  • .txt
  • .uin
  • .vbs
  • .wab

It does not send itself to addresses that contain one of the following strings:

  • abuse
  • fbi
  • orton
  • f-pro
  • aspersky
  • cafee
  • orman
  • itdefender
  • f-secur
  • avp
  • skynet
  • spam
  • messagelabs
  • ymantec
  • antivi
  • icrosoft

The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

System changes
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename WINLOGON.EXE.

  • C:\WINNT\WINLOGON.EXE (22,016 bytes)

Note: A valid file exists in the Windows System directory.

A Registry key is created to load the worm at system start.

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
    "ICQ Net" = %WinDir%\WINLOGON.EXE -stealth

Virus removal
The virus removes various Registry values.  Some of these are associated with other viruses, trojans, and applications.

The following registry key values are deleted:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "au.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "d3dupdate.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Explorer"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "KasperskyAv"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "OLE"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Taskmon"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "DELETE ME"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Explorer"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "KasperskyAv"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "msgsvr32"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Sentry"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "service"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "system."
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Taskmon"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunServices "system."
  • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Symptoms

 

  • Existence of files and registry keys as mentioned above
  • Unexpected network traffic
  • Outgoing DNS queries to one of the following hard-coded IP addresses:
    • 145.253.2.171
    • 151.189.13.35
    • 193.141.40.42
    • 193.189.244.205
    • 193.193.144.12
    • 193.193.158.10
    • 194.25.2.129
    • 194.25.2.130
    • 194.25.2.131
    • 194.25.2.132
    • 194.25.2.133
    • 194.25.2.134
    • 195.185.185.195
    • 195.20.224.234
    • 212.185.252.136
    • 212.185.252.73
    • 212.185.253.70
    • 212.44.160.8
    • 212.7.128.162
    • 212.7.128.165
    • 213.191.74.19
    • 217.5.97.137
    • 62.155.255.16

    • Method of Infection

    This worm spreads by email, constructing messages using its own SMTP engine

    Removal

    All Users :
    Use specified     engine and DAT files (or later) for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Manual Removal Instructions
    To remove this virus "by hand", follow these steps:

    1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    2. Delete the file WINLOGON.EXE  from your WINDOWS directory (typically c:\windows or c:\winnt)
      NOTE: Do not delete the file WINLOGON.EXE from the WINDOWS SYSTEM directory as that is a valid Windows system file.
    3. Edit the registry
      • Delete the "ICQ Net" value from
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
          Windows\CurrentVersion\Run
        • HKEY_CURRENT_USERS\SOFTWARE\Microsoft\
          Windows\CurrentVersion\Run
    4. Reboot the system into Default Mode

    Stinger
         Stinger has been updated to assist in detecting and repairing this threat.

    Sniffer Technologies
    Sniffer Filters have been developed to filter DNS traffic sent by Netsky.d.   Sniffer Filters are available for Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst network analyzer. The filters for Netsky.c apply for Netsky.j as well.

    W32_Netsky.c@mm Sniffer Filters.zip

    McAfee Threatscan
    Detection of the     W32/Netsky.j@MM virus is available in the generic Netsky detection module.

    ThreatScan signatures that can detect the W32/Netsky.j@MM virus are available from:

    ThreatScan Signature version:  2004-03-01

    ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

    • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

    -or- 

    • Select the "Other" category and "Scan All Vulnerabilities" template.

    For additional information:
    Run the "ThreatScan Template Report"
    Look for module number #4066

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases

    • W32.Netsky.K@mm (Symantec)
    • W32/Netsky-J (Sophos)
    • W32/Netsky.J.worm (Panda)
    • W32/Netsky.J@mm (F-Secure)
    • WORM_NETSKY.J (Trend)

    Characteristics

    Characteristics -

    -- Update August 16th, 2004 --
     The risk assessment of this threat has been lowered to Low-Profiled due to decreased prevalence.
    --

    -- Update March 8, 2004 1:40pm PDT --
     The risk assessment of this threat was raised due to an increase in prevalence.

    If you think that you may be infected with Netsky.j, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

    Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

    This is a repackaged version of W32/Netsky.d@MM .

    This virus spreads via email. It sends itself to addresses found on the victim's machine.  The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

    Mail propagation
    The virus may be received in an email message as follows:

    From: (forged address taken from infected system)
    Subject: Taken from the following list:

    • Re: Hello
    • Re: Hi
    • Re: Thanks!
    • Re: Document
    • Re: Message
    • Re: Here
    • Re: Details
    • Re: Your details
    • Re: Approved
    • Re: Your document
    • Re: Your text
    • Re: Excel file
    • Re: Word file
    • Re: My details
    • Re: Your music
    • Re: Your bill
    • Re: Your letter
    • Re: Document
    • Re: Your website
    • Re: Your product
    • Re: Your document
    • Re: Your software
    • Re: Your archive
    • Re: Your picture
    • Re: Here is the document

    Body: Taken from the following list:

    • Here is the file.
    • Your file is attached.
    • Your document is attached.
    • Please read the attached file.
    • Please have a look at the attached file.
    • See the attached file for details.

    Attachment: filename taken from strings within worm, with a .PIF extension:

    • yours.pif
    • your_text.pif
    • your_bill.pif
    • mp3music.pif
    • document.pif
    • my_details.pif
    • your_file.pif
    • your_website.pif
    • your_product.pif
    • your_letter.pif
    • your_archive.pif
    • your_details.pif
    • document_word.pif
    • all_document.pif
    • application.pif
    • your_picture.pif
    • document_excel.pif
    • document_4351.pif
    • document_full.pif
    • message_part2.pif
    • your_document.pif
    • message_details.pif

    The mailing component harvests address from the local system.  Files with the following extensions are targeted:

    • .adb
    • .asp
    • .cgi
    • .dbx
    • .dhtm
    • .doc
    • .eml
    • .htm
    • .oft
    • .php
    • .pl
    • .rtf
    • .sht
    • .shtm
    • .msg
    • .tbb
    • .txt
    • .uin
    • .vbs
    • .wab

    It does not send itself to addresses that contain one of the following strings:

    • abuse
    • fbi
    • orton
    • f-pro
    • aspersky
    • cafee
    • orman
    • itdefender
    • f-secur
    • avp
    • skynet
    • spam
    • messagelabs
    • ymantec
    • antivi
    • icrosoft

    The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

    System changes
    The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename WINLOGON.EXE.

    • C:\WINNT\WINLOGON.EXE (22,016 bytes)

    Note: A valid file exists in the Windows System directory.

    A Registry key is created to load the worm at system start.

    •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run
      "ICQ Net" = %WinDir%\WINLOGON.EXE -stealth

    Virus removal
    The virus removes various Registry values.  Some of these are associated with other viruses, trojans, and applications.

    The following registry key values are deleted:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "au.exe"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "d3dupdate.exe"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "Explorer"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "KasperskyAv"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "OLE"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "Taskmon"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "DELETE ME"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "Explorer"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "KasperskyAv"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "msgsvr32"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "Sentry"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "service"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "system."
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "Taskmon"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\RunServices "system."
    • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

    Symptoms

    Symptoms -

     

  • Existence of files and registry keys as mentioned above
  • Unexpected network traffic
  • Outgoing DNS queries to one of the following hard-coded IP addresses:
    • 145.253.2.171
    • 151.189.13.35
    • 193.141.40.42
    • 193.189.244.205
    • 193.193.144.12
    • 193.193.158.10
    • 194.25.2.129
    • 194.25.2.130
    • 194.25.2.131
    • 194.25.2.132
    • 194.25.2.133
    • 194.25.2.134
    • 195.185.185.195
    • 195.20.224.234
    • 212.185.252.136
    • 212.185.252.73
    • 212.185.253.70
    • 212.44.160.8
    • 212.7.128.162
    • 212.7.128.165
    • 213.191.74.19
    • 217.5.97.137
    • 62.155.255.16

    • Method of Infection

    Method of Infection -

    This worm spreads by email, constructing messages using its own SMTP engine

    Removal -

    Removal -

    All Users :
    Use specified     engine and DAT files (or later) for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Manual Removal Instructions
    To remove this virus "by hand", follow these steps:

    1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    2. Delete the file WINLOGON.EXE  from your WINDOWS directory (typically c:\windows or c:\winnt)
      NOTE: Do not delete the file WINLOGON.EXE from the WINDOWS SYSTEM directory as that is a valid Windows system file.
    3. Edit the registry
      • Delete the "ICQ Net" value from
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
          Windows\CurrentVersion\Run
        • HKEY_CURRENT_USERS\SOFTWARE\Microsoft\
          Windows\CurrentVersion\Run
    4. Reboot the system into Default Mode

    Stinger
         Stinger has been updated to assist in detecting and repairing this threat.

    Sniffer Technologies
    Sniffer Filters have been developed to filter DNS traffic sent by Netsky.d.   Sniffer Filters are available for Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst network analyzer. The filters for Netsky.c apply for Netsky.j as well.

    W32_Netsky.c@mm Sniffer Filters.zip

    McAfee Threatscan
    Detection of the     W32/Netsky.j@MM virus is available in the generic Netsky detection module.

    ThreatScan signatures that can detect the W32/Netsky.j@MM virus are available from:

    ThreatScan Signature version:  2004-03-01

    ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

    • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

    -or- 

    • Select the "Other" category and "Scan All Vulnerabilities" template.

    For additional information:
    Run the "ThreatScan Template Report"
    Look for module number #4066

    Variants

    Variants -

      N/A