McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.NetSky.s (AVP)

• W32/Netsky-R (Sophos)

• W32/Netsky.R.worm (Panda)

Characteristics

-- Update March 31st 2004 11:40 PST --
This threat has been deemed Low-Profiled due to media attention at the following site: http://www.techweb.com/wire/story/TWB20040331S0004

--

This version of the worm bears the following characteristics:

• the FSG-packed worm (20,624 bytes) is mailed out to email addresses extracted from the victim machine, attached to mails as a .PIF attachment.
• when executed this binary executes Notepad on the victim machine
• the binary drops a DLL component (18,944 bytes) which contains the worms functionality (including SMTP engine and mailing routine)

Proactive Detection
The dropped DLL component is detected as W32/Netsky.q@MM with the 4345 DATs or greater.

When executed on desktops protected by McAfee products running the 4345 DATs (with the 4.2.40 engine or greater), the on-access scanner will trigger when the DLL is written to disk.

In this case, the dropper will copy itself to %WinDir% as PANDAAVENGINE.EXE, and Notepad will be executed on the victim machine. No mail-propagation will occur.

Mail Propagation
The worm contains its own SMTP engine to construct messages. Email addresses are harvested from the following file types on the victim machine:

• .adb
• .asp
• .cfg
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .html
• .jsp
• .mbx
• .mdx
• .mht
• .mmf
• .msg
• .nch
• .ods
• .oft
• .php
• .ppt
• .rtf
• .sht
• .shtm
• .stm
• .tbb
• .txt
• .uin
• .vbs
• .wab
• .wsh
• .xls
• .xml

Additionally, the worm sends mails to the following email address:

• jena@yahoo.cz

Outgoing messages are constructed as follows:

From: spoofed, (using harvested email addresses)
Subject: Re: Document%n%
Attachment: DOCUMENT%n%.PIF
Body:
Excuse me,
the important document is attached,
Yours sincerely

where %n% is a random number.

Harvested email addresses are used in spoofing the From: address.

Denial Of Service
If the system time is between April 12th - April 16th, 2004, the worm launches a Denial of Service attack on the following web sites:

• www.keygen.us
• www.kazaa.com
• www.emule-project.net
• www.cracks.am
• www.emule.de

The worm also removes various Registry keys and files associated with other viruses.

Symptoms

• Existence of the files and Registry keys detailed here
• Blank Notepad window opened

Method of Infection

When executed on the victim machine, the worm copies itself into %WinDir% as PANDAAVENGINE.EXE:

• %WinDir%\PandaAVEngine.exe

It spawns an instance of Notepad on the victim machine. (A blank Notepad window is displayed.)

It then extracts a DLL which it carries and drops it on the victim machine:

• %WinDir%\temp09094283.dll (18,944 bytes)

The dropper then loads this DLL. The bulk of the worms functionality is contained within this DLL.

The DLL drops a base-64 encoded copy of the worm:

• %WinDir%\uinmzertinmds.opm (28,264 bytes)

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.NetSky.s (AVP)

• W32/Netsky-R (Sophos)

• W32/Netsky.R.worm (Panda)

Characteristics

Characteristics -

-- Update March 31st 2004 11:40 PST --
This threat has been deemed Low-Profiled due to media attention at the following site: http://www.techweb.com/wire/story/TWB20040331S0004

--

This version of the worm bears the following characteristics:

• the FSG-packed worm (20,624 bytes) is mailed out to email addresses extracted from the victim machine, attached to mails as a .PIF attachment.
• when executed this binary executes Notepad on the victim machine
• the binary drops a DLL component (18,944 bytes) which contains the worms functionality (including SMTP engine and mailing routine)

Proactive Detection
The dropped DLL component is detected as W32/Netsky.q@MM with the 4345 DATs or greater.

When executed on desktops protected by McAfee products running the 4345 DATs (with the 4.2.40 engine or greater), the on-access scanner will trigger when the DLL is written to disk.

In this case, the dropper will copy itself to %WinDir% as PANDAAVENGINE.EXE, and Notepad will be executed on the victim machine. No mail-propagation will occur.

Mail Propagation
The worm contains its own SMTP engine to construct messages. Email addresses are harvested from the following file types on the victim machine:

• .adb
• .asp
• .cfg
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .html
• .jsp
• .mbx
• .mdx
• .mht
• .mmf
• .msg
• .nch
• .ods
• .oft
• .php
• .ppt
• .rtf
• .sht
• .shtm
• .stm
• .tbb
• .txt
• .uin
• .vbs
• .wab
• .wsh
• .xls
• .xml

Additionally, the worm sends mails to the following email address:

• jena@yahoo.cz

Outgoing messages are constructed as follows:

From: spoofed, (using harvested email addresses)
Subject: Re: Document%n%
Attachment: DOCUMENT%n%.PIF
Body:
Excuse me,
the important document is attached,
Yours sincerely

where %n% is a random number.

Harvested email addresses are used in spoofing the From: address.

Denial Of Service
If the system time is between April 12th - April 16th, 2004, the worm launches a Denial of Service attack on the following web sites:

• www.keygen.us
• www.kazaa.com
• www.emule-project.net
• www.cracks.am
• www.emule.de

The worm also removes various Registry keys and files associated with other viruses.

Symptoms

Symptoms -

• Existence of the files and Registry keys detailed here
• Blank Notepad window opened

Method of Infection

Method of Infection -

When executed on the victim machine, the worm copies itself into %WinDir% as PANDAAVENGINE.EXE:

• %WinDir%\PandaAVEngine.exe

It spawns an instance of Notepad on the victim machine. (A blank Notepad window is displayed.)

It then extracts a DLL which it carries and drops it on the victim machine:

• %WinDir%\temp09094283.dll (18,944 bytes)

The dropper then loads this DLL. The bulk of the worms functionality is contained within this DLL.

The DLL drops a base-64 encoded copy of the worm:

• %WinDir%\uinmzertinmds.opm (28,264 bytes)

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A