W32/Netsky.k@MM

Content

W32/Netsky.k@MM

Type: Virus
SubType: E-mail
Discovery Date: 03/08/2004
Length: 27,648 bytes
Minimum DAT: 4336 (03/10/2004)
Updated DAT: 4994 (03/28/2007)
Minimum Engine: 5.1.00
Description Added: 03/08/2004
Description Modified: 03/10/2004 7:01 PM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

A new variant of W32/Netsky@MM has been received which has been repackaged using tElock packer.

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system)
Subject: (Taken from the following list)

Hi
Your product
Your letter
Re: corrected homework
Re: I've found your document
Re: Your bill
Re: hello again
Re: hi again
Re: part 3
Re: important document part 2
Re: important
Re: Your data
Re: Your application
Re: your music
Re: excel document
Re: Re: Re: word document
Re: Your details
Re: My details
Re: Your requested file
Re: Read it immediately
Re: Approved
Re: Your software
Re: my memberlist
Re: Your document
Re: Your file
Re: Your important document
www.%s.tripod.com
Hi Mr. %s
Moi %s
He %s
Yours faithfully, %s
Message to %s
Hi Mrs. %s
Is %s.doc yours?
Is %s.xls yours?
Whats up %s
www.paypal.com/%s
%s
Na %s
Best %s
Love %s
Good morning %s
Have a good day %s
Dear %s
To %s , it's me
Welcome %s
Moin %s
Hello %s
Your account %s is expired!
Hey %s
Hi %s
www.%s.freepage.com, your website
Hi %s, your product
Hello %s, your letter
Re: Hi %s, your archive
Re: %s, your text
Re: Hello %s, your bill
Re: Hi %s, your details
Re: Hello %s, my details
Re: Hi %s, your word file
Re: Hello %s, your excel file
Re: Hi %s, details
Re: Hello %s, Approved
Re: Hello %s, your software
Re: Hi %s, your music
Re: Dear %s, Here
Re: Re: Re: Hello %s, your document
Re: Hi %s
Re: Dear %s, Hi
Re: Re: Hi %s, your message
Re: Here %s, your picture
Re: Hi %s, here is the document
Re: Hello %s, your document
Re: %s, thanks!
Re: Re: %s, thanks!
Re: Re: Hi %s, document
Re: Hello %s, document

(Where %s will be replaced with the portion of the recipient's email address before the @
- e.g. if the email address in the To: field is user@mail.com, %s would be replaced with the string "user".)

Body: (Taken from the following list)

Here is the file. My password is %i.

I have an interesting document about you.

I have corrected your document.

My details are in the attached file.

Note that I have attached your file.

Please do not forget to read the important document.

Please have a look at the attached file. Password for decrypting is %i.

Please read the attached file. Password for the file is %i.

Please read the document. It's important.

See the attached file for details. Password is %i.

See the attachment for further details.

The important document is attached.

The sample is attached.

Your document is attached to this mail.

Your document is attached. Your password is %i.

Your file is attached to this mail.

Your file is attached. Use this password for the file: %i .

Your personal document is attached.

(Where %i is a 5-digit random number)

Attachment: (Taken from the following list)

website_%s.pif

your_product_%s.pif

letter_%s.pif

archive%s.pif

your_text%s.pif

bill_%s.pif

your_details%s.pif

%s_details.pif

%s_document_word.pif

%s_document_excel.pif

%s_my_details.pif

%s_all_document.pif

%s_application.pif

mp3music_%s.pif

yours%s.pif

document_%s4351.pif

%s_picture.pif

%s_file.pif

%s_message_details.pif

yourpicture%s.pif

%s_document_full.pif

%s_your_message_part2.pif

%sinformation.pif

%sdocument.pif

%s_your_document.pif

(Where %s will be replaced with the portion of the recipient's email address before the @ )

The mailing component harvests address from the local system. Files with the following extensions are targeted:

.adb

.asp

.cgi

.dbx

.dhtm

.doc

.eml

.htm

.oft

.php

.pl

.rtf

.sht

.shtm

.msg

.tbb

.txt

.uin

.vbs

.wab

It does not send itself to addresses that contain one of the following strings:

abuse

andasoftwa

antivi

antivir

aspersky

automail

avp

cafee

fbi

f-pro

freeav

f-secur

icrosoft

iruslis

itdefender

messagelabs

noreply

orman

orton

responder

skynet

sophos

spam

ymantec

The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

System changes
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename AVPGUARD.EXE .

C:\WINNT\AVPGUARD.EXE (27,648 bytes)

A Registry key is created to load the worm at system start.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
"My AV" = %WinDir%\AVPGUARD.EXE -av serv

Virus removal
This virus removes various Registry values. Some of these are associated with other viruses, trojans, and applications.

The following registry key values are deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "au.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "d3dupdate.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Explorer"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Windows Services Host"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "My AV"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "OLE"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Taskmon"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "sate.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "ssate.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "srate.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "sysmon.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "rate.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "gouday.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "DELETE ME"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Explorer"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Windows Services Host"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "My AV"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "msgsvr32"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Sentry"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "service"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "system."
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Taskmon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices "system."
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices "system"
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
WksPatch
KEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\PINF

This virus has a payload, where if the date is 10 May, 2004, it will beep randomly.

Symptoms

Existence of files and registry keys as mentioned above

Unexpected network traffic

Outgoing DNS queries to one of the following hard-coded IP addresses

199.5.157.128
195.185.185.195
151.189.13.35
204.57.55.100
193.189.244.205
145.253.2.171
193.141.40.42
195.117.6.25
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
199.166.31.3
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
199.166.29.3
212.185.252.73
199.166.28.10

Method of Infection

This worm spreads by email, constructing messages using its own SMTP engine

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

W32.Netsky.J@mm (Symantec)

W32/Netsky-K (Sophos)

W32/Netsky.K.worm (PANDA)

Win32.Netsky.K (CA)

WORM_NETSKY.K (Trend)

Characteristics

Characteristics -

A new variant of W32/Netsky@MM has been received which has been repackaged using tElock packer.

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system)
Subject: (Taken from the following list)

Hi
Your product
Your letter
Re: corrected homework
Re: I've found your document
Re: Your bill
Re: hello again
Re: hi again
Re: part 3
Re: important document part 2
Re: important
Re: Your data
Re: Your application
Re: your music
Re: excel document
Re: Re: Re: word document
Re: Your details
Re: My details
Re: Your requested file
Re: Read it immediately
Re: Approved
Re: Your software
Re: my memberlist
Re: Your document
Re: Your file
Re: Your important document
www.%s.tripod.com
Hi Mr. %s
Moi %s
He %s
Yours faithfully, %s
Message to %s
Hi Mrs. %s
Is %s.doc yours?
Is %s.xls yours?
Whats up %s
www.paypal.com/%s
%s
Na %s
Best %s
Love %s
Good morning %s
Have a good day %s
Dear %s
To %s , it's me
Welcome %s
Moin %s
Hello %s
Your account %s is expired!
Hey %s
Hi %s
www.%s.freepage.com, your website
Hi %s, your product
Hello %s, your letter
Re: Hi %s, your archive
Re: %s, your text
Re: Hello %s, your bill
Re: Hi %s, your details
Re: Hello %s, my details
Re: Hi %s, your word file
Re: Hello %s, your excel file
Re: Hi %s, details
Re: Hello %s, Approved
Re: Hello %s, your software
Re: Hi %s, your music
Re: Dear %s, Here
Re: Re: Re: Hello %s, your document
Re: Hi %s
Re: Dear %s, Hi
Re: Re: Hi %s, your message
Re: Here %s, your picture
Re: Hi %s, here is the document
Re: Hello %s, your document
Re: %s, thanks!
Re: Re: %s, thanks!
Re: Re: Hi %s, document
Re: Hello %s, document

(Where %s will be replaced with the portion of the recipient's email address before the @
- e.g. if the email address in the To: field is user@mail.com, %s would be replaced with the string "user".)

Body: (Taken from the following list)

Here is the file. My password is %i.

I have an interesting document about you.

I have corrected your document.

My details are in the attached file.

Note that I have attached your file.

Please do not forget to read the important document.

Please have a look at the attached file. Password for decrypting is %i.

Please read the attached file. Password for the file is %i.

Please read the document. It's important.

See the attached file for details. Password is %i.

See the attachment for further details.

The important document is attached.

The sample is attached.

Your document is attached to this mail.

Your document is attached. Your password is %i.

Your file is attached to this mail.

Your file is attached. Use this password for the file: %i .

Your personal document is attached.

(Where %i is a 5-digit random number)

Attachment: (Taken from the following list)

website_%s.pif

your_product_%s.pif

letter_%s.pif

archive%s.pif

your_text%s.pif

bill_%s.pif

your_details%s.pif

%s_details.pif

%s_document_word.pif

%s_document_excel.pif

%s_my_details.pif

%s_all_document.pif

%s_application.pif

mp3music_%s.pif

yours%s.pif

document_%s4351.pif

%s_picture.pif

%s_file.pif

%s_message_details.pif

yourpicture%s.pif

%s_document_full.pif

%s_your_message_part2.pif

%sinformation.pif

%sdocument.pif

%s_your_document.pif

(Where %s will be replaced with the portion of the recipient's email address before the @ )

The mailing component harvests address from the local system. Files with the following extensions are targeted:

.adb

.asp

.cgi

.dbx

.dhtm

.doc

.eml

.htm

.oft

.php

.pl

.rtf

.sht

.shtm

.msg

.tbb

.txt

.uin

.vbs

.wab

It does not send itself to addresses that contain one of the following strings:

abuse

andasoftwa

antivi

antivir

aspersky

automail

avp

cafee

fbi

f-pro

freeav

f-secur

icrosoft

iruslis

itdefender

messagelabs

noreply

orman

orton

responder

skynet

sophos

spam

ymantec

System changes
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename AVPGUARD.EXE .

C:\WINNT\AVPGUARD.EXE (27,648 bytes)

A Registry key is created to load the worm at system start.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
"My AV" = %WinDir%\AVPGUARD.EXE -av serv

Virus removal
This virus removes various Registry values. Some of these are associated with other viruses, trojans, and applications.

The following registry key values are deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "au.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "d3dupdate.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Explorer"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Windows Services Host"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "My AV"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "OLE"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Taskmon"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "sate.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "ssate.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "srate.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "sysmon.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "rate.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "gouday.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "DELETE ME"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Explorer"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Windows Services Host"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "My AV"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "msgsvr32"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Sentry"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "service"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "system."
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Taskmon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices "system."
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices "system"
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
WksPatch
KEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\PINF

This virus has a payload, where if the date is 10 May, 2004, it will beep randomly.

Symptoms

Symptoms -

Existence of files and registry keys as mentioned above

Unexpected network traffic

Outgoing DNS queries to one of the following hard-coded IP addresses

199.5.157.128
195.185.185.195
151.189.13.35
204.57.55.100
193.189.244.205
145.253.2.171
193.141.40.42
195.117.6.25
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
199.166.31.3
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
199.166.29.3
212.185.252.73
199.166.28.10

Method of Infection

Method of Infection -

This worm spreads by email, constructing messages using its own SMTP engine

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content

W32/Netsky.k@MM

Type

SubType

Discovery Date

Length

Minimum DAT

Updated DAT

Minimum Engine

Description Added

Description Modified

Risk Assessment

Tab Navigation

Overview

Aliases

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Aliases

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer