Content
W32/Netsky.l@MM
- Type
- Virus
- SubType
- Discovery Date
- 03/10/2004
- Length
- 16,896 bytes
- Minimum DAT
- 4328 (02/25/2004)
- Updated DAT
- 4994 (03/28/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 03/10/2004
- Description Modified
- 03/10/2004 11:37 AM (PT)
Tab Navigation
Characteristics
This a mass-mailing worm which is detected as W32/Netsky.gen@MM with the 4328 DATs (with the scanning of compressed files enabled).
Mail propagation
The virus may be received in an email message as follows:
From:
(forged address taken from infected system)
Subject:
(Taken from the following list)
- Re: Important
- Re: Your document
- Re: Your details
- Re: Approved
Body: (Taken from the following list)
- Your file is attached.
- Please read the document.
- Your document is attached.
- Please read the attached file.
- Please see the attached file for details.
Attachment: (Taken from the following list)
- your_file_%s.pif
- details_%s.pif
- document_%s.pif
- %s.pif
(Where %s will be replaced with the portion of the recipient's email address before the @ - e.g. if the email address in the To: field is user@mail.com, %s would be replaced with the string "user".)
The mailing component harvests address from the local system. Files with the following extensions are targeted:
- .adb
- .asp
- .cgi
- .dbx
- .dhtm
- .doc
- .eml
- .htm
- .html
- .jsp
- .msg
- .oft
- .php
- .pl
- .rtf
- .sht
- .shtm
- .tbb
- .txt
- .uin
- .vbs
- .wab
- .wsh
- .xml
The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.
System changes
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename AVPROTECT.EXE .
- C:\WINNT\AVPROTECT.EXE (16,896 bytes)
A Registry key is created to load the worm at system start.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"HtProtect" = %WinDir%\AVPROTECT.EXE
Symptoms
- 137.189.6.1
- 168.160.212.8
- 202.99.104.68
- 194.2.229.10
- 163.121.199.3
- 81.26.161.16
- 62.32.50.204
- 133.9.220.117
- 202.30.64.5
- 61.100.23.164
- 195.112.195.34
- 217.117.203.2
- 194.85.8.220
- 137.132.19.110
- 194.209.114.1
- 140.117.100.120
- 210.66.241.1
- 192.150.249.10
- 202.44.144.33
- 12.82.159.180
- 200.74.214.246
- 203.162.0.11
- 203.81.44.47
- 211.169.245.170
- 195.161.113.189
Method of Infection
This worm spreads by email, constructing messages using its own SMTP engine
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
This a mass-mailing worm which is detected as W32/Netsky.gen@MM with the 4328 DATs (with the scanning of compressed files enabled).
Mail propagation
The virus may be received in an email message as follows:
From:
(forged address taken from infected system)
Subject:
(Taken from the following list)
- Re: Important
- Re: Your document
- Re: Your details
- Re: Approved
Body: (Taken from the following list)
- Your file is attached.
- Please read the document.
- Your document is attached.
- Please read the attached file.
- Please see the attached file for details.
Attachment: (Taken from the following list)
- your_file_%s.pif
- details_%s.pif
- document_%s.pif
- %s.pif
(Where %s will be replaced with the portion of the recipient's email address before the @ - e.g. if the email address in the To: field is user@mail.com, %s would be replaced with the string "user".)
The mailing component harvests address from the local system. Files with the following extensions are targeted:
- .adb
- .asp
- .cgi
- .dbx
- .dhtm
- .doc
- .eml
- .htm
- .html
- .jsp
- .msg
- .oft
- .php
- .pl
- .rtf
- .sht
- .shtm
- .tbb
- .txt
- .uin
- .vbs
- .wab
- .wsh
- .xml
The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.
System changes
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename AVPROTECT.EXE .
- C:\WINNT\AVPROTECT.EXE (16,896 bytes)
A Registry key is created to load the worm at system start.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"HtProtect" = %WinDir%\AVPROTECT.EXE
Symptoms
Symptoms -
- 137.189.6.1
- 168.160.212.8
- 202.99.104.68
- 194.2.229.10
- 163.121.199.3
- 81.26.161.16
- 62.32.50.204
- 133.9.220.117
- 202.30.64.5
- 61.100.23.164
- 195.112.195.34
- 217.117.203.2
- 194.85.8.220
- 137.132.19.110
- 194.209.114.1
- 140.117.100.120
- 210.66.241.1
- 192.150.249.10
- 202.44.144.33
- 12.82.159.180
- 200.74.214.246
- 203.162.0.11
- 203.81.44.47
- 211.169.245.170
- 195.161.113.189
Method of Infection
Method of Infection -
This worm spreads by email, constructing messages using its own SMTP engine
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
