Content

W32/Netsky.s@MM

Type
Virus
SubType
Internet Worm
Discovery Date
04/05/2004
Length
18,432 bytes (UPX packed)
Minimum DAT
4348 (04/06/2004)
Updated DAT
4994 (03/28/2007)
Minimum Engine
5.1.00
Description Added
04/05/2004
Description Modified
05/12/2004 3:57 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update May 12, 2004 --
 Due to decreased prevalence, this threat has had its risk assessment lowered to Low-Profiled.

-- Update April 6th, 2004 --
Due to increased prevalence, this threat has had its risk assessment raised to Medium.

If you think that you may be infected with Netsky.s, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

-- Update April 05, 2004 --
 The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/article2/0,1759,1561746,00.asp

This variant of W32/Netsky@MM bears similarities to the previous members of this family. The worm bears the following characteristics:

  • constructs messages using its own SMTP engine
  • harvests email addresses from the victim machine
  • spoofs the From: address of messages
  • opens a port on the victim machine (TCP 6789)
  • delivers a DoS attack on certain web sites upon a specific date condition

Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

  • .adb
  • .asp
  • .cfg
  • .cgi
  • .dbx
  • .dhtm
  • .doc
  • .eml
  • .htm
  • .html
  • .jsp
  • .mbx
  • .mdx
  • .mht
  • .mmf
  • .msg
  • .nch
  • .ods
  • .oft
  • .php
  • .pl
  • .ppt
  • .rtf
  • .sht
  • .shtm
  • .stm
  • .tbb
  • .txt
  • .uin
  • .vbs
  • .wsh
  • .wab
  • .xls
  • .xml

Constructed messages bear the following characteristics:

From: this is spoofed (using harvested email addresses)
Subject: various subject lines may be used, for example:

  • Hello!
  • Hi!
  • Re: Important
  • Important
  • Re: My details
  • My details
  • Re: Your information
  • Your information
  • Re: Your details
  • Your details
  • Re: Your document
  • Your document
  • Re: Request
  • Request
  • Re: Thanks you!
  • Thank you!
  • Re: Approved
  • Approved
  • Re: Hello
  • Re: Hi
  • Hello
  • Hi

Body: various message bodies may be constructed using a pool of strings within the worm:

Attachment: The attachment has a .PIF extension. The filename is constructed from one of the following strings, with a random number appended to it:

  • account
  • postcard
  • sample
  • developement
  • concept
  • story
  • report
  • icq_number
  • e-mail
  • phone_number
  • personal_message
  • photo_document
  • order
  • important_document
  • diggest
  • final_version
  • release
  • answer
  • bill
  • notice
  • requested_document
  • description
  • summary
  • picture_document
  • movie_document
  • approved_document
  • old_document
  • document
  • mail
  • letter
  • homepage
  • detailed_document
  • powerpoint_document
  • excel_document
  • word_document
  • info
  • information
  • text
  • new_document
  • textfile
  • user_list
  • improved_file
  • secound_document
  • file
  • number_list
  • contact_list
  • message
  • note
  • improved_document
  • details
  • instructions
  • presentation_document
  • abuse_list
  • archive
  • corrected_document
  • list
  • approved_file

Example:

Denial of Service

If the local system date is between April 14th and April 23rd when the worm starts up, it targets the following remote servers in a denial of service attack:

  • www.keygen.us
  • www.freemule.net
  • www.kazaa.com
  • www.emule.de
  • www.cracks.am

System Changes

The worm installs itself on the victim machine as EASYAV.EXE in the Windows directory. For example:

  • %WinDir%\EASYAV.EXE

The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Run "EasyAV" = %WinDir%\EASYAV.EXE

A base-64 encoded copy of the worm is saved to disk as UINMZERTINMDS.OPM in the Windows directory:

  • %WinDir%\UINMZERTINMDS.OPM

Remote Access Component

The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.

Symptoms

  • Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
    • 212.44.160.8
    • 195.185.185.195
    • 151.189.13.35
    • 213.191.74.19
    • 193.189.244.205
    • 145.253.2.171
    • 193.141.40.42
    • 194.25.2.134
    • 194.25.2.133
    • 194.25.2.132
    • 194.25.2.131
    • 193.193.158.10
    • 212.7.128.165
    • 212.7.128.162
    • 193.193.144.12
    • 217.5.97.137
    • 195.20.224.234
    • 194.25.2.130
    • 194.25.2.129
    • 212.185.252.136
    • 212.185.253.70
    • 212.185.252.73
  • Existence of the files/Registry keys detailed above
  • TCP port 6789 open on the victim machine

Method of Infection

This worm spreads by email, constructing messages using its own SMTP engine.

Removal

All Users
 The current engine/DAT files are requried for detection and removal.

Additional Windows ME/XP removal considerations

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  • Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  • Delete the following files from the infected machine:
    • %WinDir%\EASYAV.EXE
    • %WinDir%\UINMZERTINMDS.OPM
  • Edit the registry
    Remove the following Registry key which the worm adds to hook system startup:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\
      Windows\
      CurrentVersion\Run
      "EasyAV" = %WinDir%\EASYAV.EXE
  • Reboot the system into default mode

McAfee Threatscan
Detection of the W32/Netsky.s@MM virus is available in the generic Netsky detection module.

ThreatScan signatures that can detect the W32/Netsky.s@MM virus are available from:

ThreatScan Signature version:  2004-04-06

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

  • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

-or- 

  • Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:
Run the "ThreatScan Template Report"
Look for module number #4066

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32/Netsky-S (Sophos)
  • W32/Netsky.S.worm (Panda)
  • WORM_NETSKY.S (Trend)

Characteristics

Characteristics -

-- Update May 12, 2004 --
 Due to decreased prevalence, this threat has had its risk assessment lowered to Low-Profiled.

-- Update April 6th, 2004 --
Due to increased prevalence, this threat has had its risk assessment raised to Medium.

If you think that you may be infected with Netsky.s, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

-- Update April 05, 2004 --
 The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/article2/0,1759,1561746,00.asp

This variant of W32/Netsky@MM bears similarities to the previous members of this family. The worm bears the following characteristics:

  • constructs messages using its own SMTP engine
  • harvests email addresses from the victim machine
  • spoofs the From: address of messages
  • opens a port on the victim machine (TCP 6789)
  • delivers a DoS attack on certain web sites upon a specific date condition

Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

  • .adb
  • .asp
  • .cfg
  • .cgi
  • .dbx
  • .dhtm
  • .doc
  • .eml
  • .htm
  • .html
  • .jsp
  • .mbx
  • .mdx
  • .mht
  • .mmf
  • .msg
  • .nch
  • .ods
  • .oft
  • .php
  • .pl
  • .ppt
  • .rtf
  • .sht
  • .shtm
  • .stm
  • .tbb
  • .txt
  • .uin
  • .vbs
  • .wsh
  • .wab
  • .xls
  • .xml

Constructed messages bear the following characteristics:

From: this is spoofed (using harvested email addresses)
Subject: various subject lines may be used, for example:

  • Hello!
  • Hi!
  • Re: Important
  • Important
  • Re: My details
  • My details
  • Re: Your information
  • Your information
  • Re: Your details
  • Your details
  • Re: Your document
  • Your document
  • Re: Request
  • Request
  • Re: Thanks you!
  • Thank you!
  • Re: Approved
  • Approved
  • Re: Hello
  • Re: Hi
  • Hello
  • Hi

Body: various message bodies may be constructed using a pool of strings within the worm:

Attachment: The attachment has a .PIF extension. The filename is constructed from one of the following strings, with a random number appended to it:

  • account
  • postcard
  • sample
  • developement
  • concept
  • story
  • report
  • icq_number
  • e-mail
  • phone_number
  • personal_message
  • photo_document
  • order
  • important_document
  • diggest
  • final_version
  • release
  • answer
  • bill
  • notice
  • requested_document
  • description
  • summary
  • picture_document
  • movie_document
  • approved_document
  • old_document
  • document
  • mail
  • letter
  • homepage
  • detailed_document
  • powerpoint_document
  • excel_document
  • word_document
  • info
  • information
  • text
  • new_document
  • textfile
  • user_list
  • improved_file
  • secound_document
  • file
  • number_list
  • contact_list
  • message
  • note
  • improved_document
  • details
  • instructions
  • presentation_document
  • abuse_list
  • archive
  • corrected_document
  • list
  • approved_file

Example:

Denial of Service

If the local system date is between April 14th and April 23rd when the worm starts up, it targets the following remote servers in a denial of service attack:

  • www.keygen.us
  • www.freemule.net
  • www.kazaa.com
  • www.emule.de
  • www.cracks.am

System Changes

The worm installs itself on the victim machine as EASYAV.EXE in the Windows directory. For example:

  • %WinDir%\EASYAV.EXE

The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Run "EasyAV" = %WinDir%\EASYAV.EXE

A base-64 encoded copy of the worm is saved to disk as UINMZERTINMDS.OPM in the Windows directory:

  • %WinDir%\UINMZERTINMDS.OPM

Remote Access Component

The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.

Symptoms

Symptoms -

  • Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
    • 212.44.160.8
    • 195.185.185.195
    • 151.189.13.35
    • 213.191.74.19
    • 193.189.244.205
    • 145.253.2.171
    • 193.141.40.42
    • 194.25.2.134
    • 194.25.2.133
    • 194.25.2.132
    • 194.25.2.131
    • 193.193.158.10
    • 212.7.128.165
    • 212.7.128.162
    • 193.193.144.12
    • 217.5.97.137
    • 195.20.224.234
    • 194.25.2.130
    • 194.25.2.129
    • 212.185.252.136
    • 212.185.253.70
    • 212.185.252.73
  • Existence of the files/Registry keys detailed above
  • TCP port 6789 open on the victim machine

Method of Infection

Method of Infection -

This worm spreads by email, constructing messages using its own SMTP engine.

Removal -

Removal -

All Users
 The current engine/DAT files are requried for detection and removal.

Additional Windows ME/XP removal considerations

Stinger
 Stinger has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  • Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  • Delete the following files from the infected machine:
    • %WinDir%\EASYAV.EXE
    • %WinDir%\UINMZERTINMDS.OPM
  • Edit the registry
    Remove the following Registry key which the worm adds to hook system startup:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\
      Windows\
      CurrentVersion\Run
      "EasyAV" = %WinDir%\EASYAV.EXE
  • Reboot the system into default mode

McAfee Threatscan
Detection of the W32/Netsky.s@MM virus is available in the generic Netsky detection module.

ThreatScan signatures that can detect the W32/Netsky.s@MM virus are available from:

ThreatScan Signature version:  2004-04-06

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

  • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

-or- 

  • Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:
Run the "ThreatScan Template Report"
Look for module number #4066

Variants

Variants -

    N/A