McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This variant of W32/Netsky is very similar to W32/Netsky.t@MM . It bears the following characteristics:

• constructs messages using its own SMTP engine
• harvests email addresses from the victim machine
• spoofs the From: address of messages
• opens a port on the victim machine (TCP 6789)
• delivers a DoS attack on certain web sites upon a specific date condition

Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

• .adb
• .asp
• .cfg
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .html
• .jsp
• .mbx
• .mdx
• .mht
• .mmf
• .msg
• .nch
• .ods
• .oft
• .php
• .pl
• .ppt
• .rtf
• .sht
• .shtm
• .stm
• .tbb
• .txt
• .uin
• .vbs
• .wsh
• .wab
• .xls
• .xml

Constructed messages bear the following characteristics:

From: T his is spoofed (using harvested email addresses)
Subject: Taken from the following list

• Reply
• Again
• It's me
• Hey
• Hello
• Hi
• Re: Hello
• Re: Hi

Body: Various message bodies may be constructed using a pool of strings within the worm. (some letters have been omitted, replaced with *)

• Oh, I got it!
• To less characters! Take it easy...
• I noticed your password for administrative purpuses.
• Yet another password! Need a better one?
• Oh... your password!
• Need a better password? my advice....
• Your pwd is critical, too short, to low!
• Do not use personal information for your password!
• Your password on a website?
• Passwordlist? yours?
• I needed only 2 hours to get your password.
• Change your password! I have stolen some text, excuse me!
• Dictionary attacks are good. Your password not!
• I used the brute-force method to get your password..
• Take it easy... Your password is too short.
• I 've got your password! take it easy...
• Hey, easy passwords!
• Oh! Excuse me, your password is too easy!!!
• Not with me!
• Here is a sample of your private documents I have stolen!
• Your privacy! lol, youre not protected!
• Needed? No, here I give it back!
• I believe from the document you are a child!
• Check your document, errors are there!
• Please, please, Give me another sexy document about you!
• Short and good, your document!
• Jooooooooo.... document? Yours????? Wehaaa!
• I do not accept documents from bad guys!
• I do not want your document!
• Go to hell an burn with your bad document!
• I will send your list to the police!!!!
• Hello, here.
• It's the truth, your document not!!!
• Could I have more texts about you?
• Thus is enough. Stop sending your s***** documents!!!
• One, two three, more, I have many questions to you document!
• Nice, nice, more and more? do you?
• Should I believe it? No, however, your story is bad.
• Oh.....puh, your story is very strong!
• Yours is very nice!
• Do you have more of that?
• Hey ya, nice document. Do you have more?
• Abou you?
• Sexy pic abou you?
• Do you have a digicam to make your private photos?
• More naked...your body is sexy!
• Naked, you?
• Are you naked?
• More private photos of you? no!
• Private photos...mmmhh. I like it. Post me more please!
• Hey, naked one!
• Hey, have you ever seen your photo?
• Eat my s***! Your photo is bad.
• Do not distribute your naked photos!
• Uhaaa! naked... are you cranky?
• Your are naked? Tell me more...please!
• Hey, private or private..naked?
• Pah!...take your private photo, naked and so, and go away.
• I have sent your private photo to the police.
• What is when I show your private illegal photo the police?
• You? Very funny! More available?
• I don't want to see your photo!
• S***... your photo! naked?

Attachment: The attachment arrives as a .PIF file. The first part of the filename is constructed from one of the following strings

• morepasswords
• cracked_password
• easypassword
• yourpassword
• password
• passwords
• pwd_list
• your_password
• your_pwd
• yourspwd
• pwd
• password02
• pwds04
• pass01
• correct_pass
• listed
• detailed
• approvdoc
• doc_ed
• morestory
• abuses
• mail
• story
• letter
• sexydocument
• doc
• yetanotherdocument
• trieddocument
• posteddocument
• abusedocument
• illegaldocument
• doc04
• shortdoc
• details
• alldoc
• document_part
• anotherdocument
• document3
• founddocument
• your_doc04
• onedocument
• mydocument
• yourdocument
• yourdoc
• document
• photo03
• your_photo
• private_pic
• private_photo
• about_you
• your_bad_photo
• xxx_yours_naked
• your_private_document
• private
• yourpic
• yournakedpic
• pic04
• yours
• yourimage
• yourphoto
• yoursnaked
• yours_naked
• img05
• not_permitted
• yours_naked_img
• yours_funny

Denial of Service

If the local system date is between April 14th and April 23rd when the worm starts up, it targets the following remote servers in a denial of service attack:

• www.keygen.us
• www.freemule.net
• www.kazaa.com
• www.emule.de
• www.cracks.am

System Changes

The worm installs itself on the victim machine as SYMAV.EXE in the Windows directory:

• %WinDir%\SymAV.EXE

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  \Run "SymAV" = %WinDir%\SymAV.EXE

A base-64 encoded copy of the worm is saved to disk as F***_YOU_BAGLE.TXT (letters omitted, replaced with *) in the Windows directory:

• %WinDir%\f***_you_bagle.txt

Remote Access Component

The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.

Symptoms

• Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
  • 212.44.160.8
  • 195.185.185.195
  • 151.189.13.35
  • 213.191.74.19
  • 193.189.244.205
  • 145.253.2.171
  • 193.141.40.42
  • 194.25.2.134
  • 194.25.2.133
  • 194.25.2.132
  • 194.25.2.131
  • 193.193.158.10
  • 212.7.128.165
  • 212.7.128.162
  • 193.193.144.12
  • 217.5.97.137
  • 195.20.224.234
  • 194.25.2.130
  • 194.25.2.129
  • 212.185.252.136
  • 212.185.253.70
  • 212.185.252.73
• Existence of the files/Registry keys detailed above
• TCP port 6789 open on the victim machine

Method of Infection

This worm spreads by email, constructing messages using its own SMTP engine.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This variant of W32/Netsky is very similar to W32/Netsky.t@MM . It bears the following characteristics:

• constructs messages using its own SMTP engine
• harvests email addresses from the victim machine
• spoofs the From: address of messages
• opens a port on the victim machine (TCP 6789)
• delivers a DoS attack on certain web sites upon a specific date condition

Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

• .adb
• .asp
• .cfg
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .html
• .jsp
• .mbx
• .mdx
• .mht
• .mmf
• .msg
• .nch
• .ods
• .oft
• .php
• .pl
• .ppt
• .rtf
• .sht
• .shtm
• .stm
• .tbb
• .txt
• .uin
• .vbs
• .wsh
• .wab
• .xls
• .xml

Constructed messages bear the following characteristics:

From: T his is spoofed (using harvested email addresses)
Subject: Taken from the following list

• Reply
• Again
• It's me
• Hey
• Hello
• Hi
• Re: Hello
• Re: Hi

Body: Various message bodies may be constructed using a pool of strings within the worm. (some letters have been omitted, replaced with *)

• Oh, I got it!
• To less characters! Take it easy...
• I noticed your password for administrative purpuses.
• Yet another password! Need a better one?
• Oh... your password!
• Need a better password? my advice....
• Your pwd is critical, too short, to low!
• Do not use personal information for your password!
• Your password on a website?
• Passwordlist? yours?
• I needed only 2 hours to get your password.
• Change your password! I have stolen some text, excuse me!
• Dictionary attacks are good. Your password not!
• I used the brute-force method to get your password..
• Take it easy... Your password is too short.
• I 've got your password! take it easy...
• Hey, easy passwords!
• Oh! Excuse me, your password is too easy!!!
• Not with me!
• Here is a sample of your private documents I have stolen!
• Your privacy! lol, youre not protected!
• Needed? No, here I give it back!
• I believe from the document you are a child!
• Check your document, errors are there!
• Please, please, Give me another sexy document about you!
• Short and good, your document!
• Jooooooooo.... document? Yours????? Wehaaa!
• I do not accept documents from bad guys!
• I do not want your document!
• Go to hell an burn with your bad document!
• I will send your list to the police!!!!
• Hello, here.
• It's the truth, your document not!!!
• Could I have more texts about you?
• Thus is enough. Stop sending your s***** documents!!!
• One, two three, more, I have many questions to you document!
• Nice, nice, more and more? do you?
• Should I believe it? No, however, your story is bad.
• Oh.....puh, your story is very strong!
• Yours is very nice!
• Do you have more of that?
• Hey ya, nice document. Do you have more?
• Abou you?
• Sexy pic abou you?
• Do you have a digicam to make your private photos?
• More naked...your body is sexy!
• Naked, you?
• Are you naked?
• More private photos of you? no!
• Private photos...mmmhh. I like it. Post me more please!
• Hey, naked one!
• Hey, have you ever seen your photo?
• Eat my s***! Your photo is bad.
• Do not distribute your naked photos!
• Uhaaa! naked... are you cranky?
• Your are naked? Tell me more...please!
• Hey, private or private..naked?
• Pah!...take your private photo, naked and so, and go away.
• I have sent your private photo to the police.
• What is when I show your private illegal photo the police?
• You? Very funny! More available?
• I don't want to see your photo!
• S***... your photo! naked?

Attachment: The attachment arrives as a .PIF file. The first part of the filename is constructed from one of the following strings

• morepasswords
• cracked_password
• easypassword
• yourpassword
• password
• passwords
• pwd_list
• your_password
• your_pwd
• yourspwd
• pwd
• password02
• pwds04
• pass01
• correct_pass
• listed
• detailed
• approvdoc
• doc_ed
• morestory
• abuses
• mail
• story
• letter
• sexydocument
• doc
• yetanotherdocument
• trieddocument
• posteddocument
• abusedocument
• illegaldocument
• doc04
• shortdoc
• details
• alldoc
• document_part
• anotherdocument
• document3
• founddocument
• your_doc04
• onedocument
• mydocument
• yourdocument
• yourdoc
• document
• photo03
• your_photo
• private_pic
• private_photo
• about_you
• your_bad_photo
• xxx_yours_naked
• your_private_document
• private
• yourpic
• yournakedpic
• pic04
• yours
• yourimage
• yourphoto
• yoursnaked
• yours_naked
• img05
• not_permitted
• yours_naked_img
• yours_funny

Denial of Service

If the local system date is between April 14th and April 23rd when the worm starts up, it targets the following remote servers in a denial of service attack:

• www.keygen.us
• www.freemule.net
• www.kazaa.com
• www.emule.de
• www.cracks.am

System Changes

The worm installs itself on the victim machine as SYMAV.EXE in the Windows directory:

• %WinDir%\SymAV.EXE

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  \Run "SymAV" = %WinDir%\SymAV.EXE

A base-64 encoded copy of the worm is saved to disk as F***_YOU_BAGLE.TXT (letters omitted, replaced with *) in the Windows directory:

• %WinDir%\f***_you_bagle.txt

Remote Access Component

The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.

Symptoms

Symptoms -

• Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
  • 212.44.160.8
  • 195.185.185.195
  • 151.189.13.35
  • 213.191.74.19
  • 193.189.244.205
  • 145.253.2.171
  • 193.141.40.42
  • 194.25.2.134
  • 194.25.2.133
  • 194.25.2.132
  • 194.25.2.131
  • 193.193.158.10
  • 212.7.128.165
  • 212.7.128.162
  • 193.193.144.12
  • 217.5.97.137
  • 195.20.224.234
  • 194.25.2.130
  • 194.25.2.129
  • 212.185.252.136
  • 212.185.253.70
  • 212.185.252.73
• Existence of the files/Registry keys detailed above
• TCP port 6789 open on the victim machine

Method of Infection

Method of Infection -

This worm spreads by email, constructing messages using its own SMTP engine.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A