Content

W32/Netsky.r@MM

Type
Virus
SubType
Internet Worm
Discovery Date
03/31/2004
Length
20,624 bytes (FSG packed)
18,944 bytes (DLL)
Minimum DAT
4346 (03/31/2004)
Updated DAT
4517 (06/20/2005)
Minimum Engine
5.1.00
Description Added
03/31/2004
Description Modified
03/31/2004 11:45 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update March 31st 2004 11:40 PST --
This threat has been deemed Low-Profiled due to media attention at the following site: http://www.techweb.com/wire/story/TWB20040331S0004

--

This version of the worm bears the following characteristics:

  • the FSG-packed worm (20,624 bytes) is mailed out to email addresses extracted from the victim machine, attached to mails as a .PIF attachment.
  • when executed this binary executes Notepad on the victim machine
  • the binary drops a DLL component (18,944 bytes) which contains the worms functionality (including SMTP engine and mailing routine)

Proactive Detection
The dropped DLL component is detected as W32/Netsky.q@MM with the 4345 DATs or greater.

When executed on desktops protected by McAfee products running the 4345 DATs (with the 4.2.40 engine or greater), the on-access scanner will trigger when the DLL is written to disk.

In this case, the dropper will copy itself to %WinDir% as PANDAAVENGINE.EXE, and Notepad will be executed on the victim machine. No mail-propagation will occur.

Mail Propagation
The worm contains its own SMTP engine to construct messages. Email addresses are harvested from the following file types on the victim machine:

  • .adb
  • .asp
  • .cfg
  • .cgi
  • .dbx
  • .dhtm
  • .doc
  • .eml
  • .htm
  • .html
  • .jsp
  • .mbx
  • .mdx
  • .mht
  • .mmf
  • .msg
  • .nch
  • .ods
  • .oft
  • .php
  • .ppt
  • .rtf
  • .sht
  • .shtm
  • .stm
  • .tbb
  • .txt
  • .uin
  • .vbs
  • .wab
  • .wsh
  • .xls
  • .xml

Additionally, the worm sends mails to the following email address:

  • jena@yahoo.cz

Outgoing messages are constructed as follows:

From: spoofed, (using harvested email addresses)
Subject: Re: Document%n%
Attachment: DOCUMENT%n%.PIF
Body:
Excuse me,
the important document is attached,
Yours sincerely

where %n% is a random number.

Harvested email addresses are used in spoofing the From: address.

Denial Of Service
If the system time is between April 12th - April 16th, 2004, the worm launches a Denial of Service attack on the following web sites:

  • www.keygen.us
  • www.kazaa.com
  • www.emule-project.net
  • www.cracks.am
  • www.emule.de

The worm also removes various Registry keys and files associated with other viruses.

Symptoms

  • Existence of the files and Registry keys detailed here
  • Blank Notepad window opened

Method of Infection

When executed on the victim machine, the worm copies itself into %WinDir% as PANDAAVENGINE.EXE:

  • %WinDir%\PandaAVEngine.exe

It spawns an instance of Notepad on the victim machine. (A blank Notepad window is displayed.)

It then extracts a DLL which it carries and drops it on the victim machine:

  • %WinDir%\temp09094283.dll (18,944 bytes)

The dropper then loads this DLL. The bulk of the worms functionality is contained within this DLL.

The DLL drops a base-64 encoded copy of the worm:

  • %WinDir%\uinmzertinmds.opm (28,264 bytes)

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • I-Worm.NetSky.s (AVP)
  • W32/Netsky-R (Sophos)
  • W32/Netsky.R.worm (Panda)

Characteristics

Characteristics -

-- Update March 31st 2004 11:40 PST --
This threat has been deemed Low-Profiled due to media attention at the following site: http://www.techweb.com/wire/story/TWB20040331S0004

--

This version of the worm bears the following characteristics:

  • the FSG-packed worm (20,624 bytes) is mailed out to email addresses extracted from the victim machine, attached to mails as a .PIF attachment.
  • when executed this binary executes Notepad on the victim machine
  • the binary drops a DLL component (18,944 bytes) which contains the worms functionality (including SMTP engine and mailing routine)

Proactive Detection
The dropped DLL component is detected as W32/Netsky.q@MM with the 4345 DATs or greater.

When executed on desktops protected by McAfee products running the 4345 DATs (with the 4.2.40 engine or greater), the on-access scanner will trigger when the DLL is written to disk.

In this case, the dropper will copy itself to %WinDir% as PANDAAVENGINE.EXE, and Notepad will be executed on the victim machine. No mail-propagation will occur.

Mail Propagation
The worm contains its own SMTP engine to construct messages. Email addresses are harvested from the following file types on the victim machine:

  • .adb
  • .asp
  • .cfg
  • .cgi
  • .dbx
  • .dhtm
  • .doc
  • .eml
  • .htm
  • .html
  • .jsp
  • .mbx
  • .mdx
  • .mht
  • .mmf
  • .msg
  • .nch
  • .ods
  • .oft
  • .php
  • .ppt
  • .rtf
  • .sht
  • .shtm
  • .stm
  • .tbb
  • .txt
  • .uin
  • .vbs
  • .wab
  • .wsh
  • .xls
  • .xml

Additionally, the worm sends mails to the following email address:

  • jena@yahoo.cz

Outgoing messages are constructed as follows:

From: spoofed, (using harvested email addresses)
Subject: Re: Document%n%
Attachment: DOCUMENT%n%.PIF
Body:
Excuse me,
the important document is attached,
Yours sincerely

where %n% is a random number.

Harvested email addresses are used in spoofing the From: address.

Denial Of Service
If the system time is between April 12th - April 16th, 2004, the worm launches a Denial of Service attack on the following web sites:

  • www.keygen.us
  • www.kazaa.com
  • www.emule-project.net
  • www.cracks.am
  • www.emule.de

The worm also removes various Registry keys and files associated with other viruses.

Symptoms

Symptoms -

  • Existence of the files and Registry keys detailed here
  • Blank Notepad window opened

Method of Infection

Method of Infection -

When executed on the victim machine, the worm copies itself into %WinDir% as PANDAAVENGINE.EXE:

  • %WinDir%\PandaAVEngine.exe

It spawns an instance of Notepad on the victim machine. (A blank Notepad window is displayed.)

It then extracts a DLL which it carries and drops it on the victim machine:

  • %WinDir%\temp09094283.dll (18,944 bytes)

The dropper then loads this DLL. The bulk of the worms functionality is contained within this DLL.

The DLL drops a base-64 encoded copy of the worm:

  • %WinDir%\uinmzertinmds.opm (28,264 bytes)

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A