McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This mass-mailing worm is based on the source code for W32/Netsky.  Analysis is ongoing.

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system)
Subject: (Taken from the following list)

Part 1 (one of the following)

• Re:
• Re: Re:

Part 2 (one of the following)

• my
• your
• (blank)

Body: (Taken from the following list)

• Your details.
• Your document.
• I have received your document. The corrected document is attached.
• I have attached your document.
• Your document is attached to this mail.
• Authentication required.
• Requested file.
• See the file.
• Please read the important document.
• Please confirm the document.
• Your file is attached.
• Please read the document.
• Your document is attached.
• Please read the attached file.
• Please see the attached file for details.

Followed by:

• --------------------------------------------
  (attachment_name) : No virus found
  Powered by the new Norton OnlineScan
  Get protected: www.symantec.com

Attachment: (Taken from the following list, followed by .ZIP, .PIF, .EXE, .SCR)

• document_all_%s
• text_%s
• message_%s
• data_%s
• excel document_%s
• word document_%s
• bill_%s
• screensaver_%s
• application_%s
• website_%s
• product_%s
• letter_%s
• information_%s
• details_%s
• file_%s
• document_%s
• important_%s
• approved_%s

(Where %s will be replaced with the portion of the recipient's email address before the @ - e.g. if the email address in the To: field is user@mail.com, %s would be replaced with the string "user". The _ and %s may be omitted)

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• .xml
• .wsh
• .jsp
• .msg
• .oft
• .sht
• .dbx
• .tbb
• .adb
• .dhtm
• .cgi
• .shtm
• .uin
• .rtf
• .vbs
• .doc
• .wab
• .asp
• .php
• .txt
• .eml
• .html
• .htm
• .pl

The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message

Symptoms

The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename VisualGuard.exe

• C:\WINNT\VisualGuard.exe (33,792 bytes)

A Registry key is created to load the worm at system start.

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run
  "NetDy" = %WinDir%\VisualGuard.exe  

Method of Infection

This worm spreads by email, constructing messages using its own SMTP engine

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This mass-mailing worm is based on the source code for W32/Netsky.  Analysis is ongoing.

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system)
Subject: (Taken from the following list)

Part 1 (one of the following)

• Re:
• Re: Re:

Part 2 (one of the following)

• my
• your
• (blank)

Body: (Taken from the following list)

• Your details.
• Your document.
• I have received your document. The corrected document is attached.
• I have attached your document.
• Your document is attached to this mail.
• Authentication required.
• Requested file.
• See the file.
• Please read the important document.
• Please confirm the document.
• Your file is attached.
• Please read the document.
• Your document is attached.
• Please read the attached file.
• Please see the attached file for details.

Followed by:

• --------------------------------------------
  (attachment_name) : No virus found
  Powered by the new Norton OnlineScan
  Get protected: www.symantec.com

Attachment: (Taken from the following list, followed by .ZIP, .PIF, .EXE, .SCR)

• document_all_%s
• text_%s
• message_%s
• data_%s
• excel document_%s
• word document_%s
• bill_%s
• screensaver_%s
• application_%s
• website_%s
• product_%s
• letter_%s
• information_%s
• details_%s
• file_%s
• document_%s
• important_%s
• approved_%s

(Where %s will be replaced with the portion of the recipient's email address before the @ - e.g. if the email address in the To: field is user@mail.com, %s would be replaced with the string "user". The _ and %s may be omitted)

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• .xml
• .wsh
• .jsp
• .msg
• .oft
• .sht
• .dbx
• .tbb
• .adb
• .dhtm
• .cgi
• .shtm
• .uin
• .rtf
• .vbs
• .doc
• .wab
• .asp
• .php
• .txt
• .eml
• .html
• .htm
• .pl

The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message

Symptoms

Symptoms -

The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename VisualGuard.exe

• C:\WINNT\VisualGuard.exe (33,792 bytes)

A Registry key is created to load the worm at system start.

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run
  "NetDy" = %WinDir%\VisualGuard.exe  

Method of Infection

Method of Infection -

This worm spreads by email, constructing messages using its own SMTP engine

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A