McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This variant of W32/Netsky is very similar to W32/Netsky.s@MM . It bears the following characteristics:

• constructs messages using its own SMTP engine
• harvests email addresses from the victim machine
• spoofs the From: address of messages
• opens a port on the victim machine (TCP 6789)
• delivers a DoS attack on certain web sites upon a specific date condition

The EXTRA.DAT posted for W32/Netsky.s@MM will detect this threat as virus or variant W32/Netsky.s@MM (with the scanning of compressed files enabled).

System Changes

Just like its predecesor, the worm installs itself on the victim machine as EASYAV.EXE in the Windows directory. For example:

• %WinDir%\EASYAV.EXE

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  \Run "EasyAV" = %WinDir%\EASYAV.EXE

A base-64 encoded copy of the worm is saved to disk as UINMZERTINMDS.OPM in the Windows directory:

• %WinDir%\UINMZERTINMDS.OPM

Remote Access Component

The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.

Symptoms

• Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
  • 212.44.160.8
  • 195.185.185.195
  • 151.189.13.35
  • 213.191.74.19
  • 193.189.244.205
  • 145.253.2.171
  • 193.141.40.42
  • 194.25.2.134
  • 194.25.2.133
  • 194.25.2.132
  • 194.25.2.131
  • 193.193.158.10
  • 212.7.128.165
  • 212.7.128.162
  • 193.193.144.12
  • 217.5.97.137
  • 195.20.224.234
  • 194.25.2.130
  • 194.25.2.129
  • 212.185.252.136
  • 212.185.253.70
  • 212.185.252.73
• Existence of the files/Registry keys detailed above
• TCP port 6789 open on the victim machine

Method of Infection

This worm spreads by email, constructing messages using its own SMTP engine.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This variant of W32/Netsky is very similar to W32/Netsky.s@MM . It bears the following characteristics:

• constructs messages using its own SMTP engine
• harvests email addresses from the victim machine
• spoofs the From: address of messages
• opens a port on the victim machine (TCP 6789)
• delivers a DoS attack on certain web sites upon a specific date condition

The EXTRA.DAT posted for W32/Netsky.s@MM will detect this threat as virus or variant W32/Netsky.s@MM (with the scanning of compressed files enabled).

System Changes

Just like its predecesor, the worm installs itself on the victim machine as EASYAV.EXE in the Windows directory. For example:

• %WinDir%\EASYAV.EXE

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  \Run "EasyAV" = %WinDir%\EASYAV.EXE

A base-64 encoded copy of the worm is saved to disk as UINMZERTINMDS.OPM in the Windows directory:

• %WinDir%\UINMZERTINMDS.OPM

Remote Access Component

The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.

Symptoms

Symptoms -

• Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
  • 212.44.160.8
  • 195.185.185.195
  • 151.189.13.35
  • 213.191.74.19
  • 193.189.244.205
  • 145.253.2.171
  • 193.141.40.42
  • 194.25.2.134
  • 194.25.2.133
  • 194.25.2.132
  • 194.25.2.131
  • 193.193.158.10
  • 212.7.128.165
  • 212.7.128.162
  • 193.193.144.12
  • 217.5.97.137
  • 195.20.224.234
  • 194.25.2.130
  • 194.25.2.129
  • 212.185.252.136
  • 212.185.253.70
  • 212.185.252.73
• Existence of the files/Registry keys detailed above
• TCP port 6789 open on the victim machine

Method of Infection

Method of Infection -

This worm spreads by email, constructing messages using its own SMTP engine.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A