Content

W32/Netsky.w@MM

Type
Virus
SubType
E-mail
Discovery Date
04/16/2004
Length
24,064 bytes
Minimum DAT
4352 (04/21/2004)
Updated DAT
4994 (03/28/2007)
Minimum Engine
5.1.00
Description Added
04/16/2004
Description Modified
04/16/2004 4:04 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--Update 04/16/2004 14:30 PST
W32/Netsky.w@MM has been updated to low-profiled due to press at http://www.techweb.com/wire/story/TWB20040416S0007

--

This variant of W32/Netsky is similar to W32/Netsky.n@MM . It bears the following characteristics:

  • constructs messages using its own SMTP engine
  • harvests email addresses from the victim machine
  • spoofs the From: address of messages

This worm is detected with current DATs as W32/Netsky.gen@MM with scanning compressed files enabled. Specific detection will be added to the 4352 DATs.

Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

  • .adb
  • .asp
  • .cgi
  • .dbx
  • .dhtm
  • .doc
  • .eml
  • .htm
  • .html
  • .jsp
  • .msg
  • .oft
  • .php
  • .pl
  • .rtf
  • .sht
  • .shtm
  • .tbb
  • .txt
  • .uin
  • .vbs
  • .wab
  • .wsh
  • .xml

Constructed messages bear the following characteristics:

From: (forged address taken from infected system)
Subject: (Taken from the following list)

Part 1 (one of the following)

  • Re:
  • Re: Re:

Part 2 (one of the following)

  • my
  • your
  • (blank)

Part 3 (one of the following)

  • read it immediately
  • important
  • improved
  • patched
  • corrected
  • approved
  • thanks!
  • hello
  • hi
  • here
  • document_all
  • text
  • message
  • data
  • excel document
  • word document
  • bill
  • screensaver
  • application
  • website
  • product
  • letter
  • information
  • details
  • file
  • document
  • important
  • approved

Body: (Taken from the following list)

  • Your details.
  • Your document.
  • I have received your document. The corrected document is attached.
  • I have attached your document.
  • Your document is attached to this mail.
  • Authentication required.
  • Requested file.
  • See the file.
  • Please read the important document.
  • Please confirm the document.
  • Your file is attached.
  • Please read the document.
  • Your document is attached.
  • Please read the attached file.
  • Please see the attached file for details.

Closing: (all messages are ended with the following text)

--------------------------------------------
(attachment_name) : No virus found
Powered by the new Norton OnlineScan
Get protected: www.symantec.com

Attachment: (Taken from the following list, followed by .ZIP, .PIF, .EXE, .SCR)

  • document_all_%s
  • text_%s
  • message_%s
  • data_%s
  • excel document_%s
  • word document_%s
  • bill_%s
  • screensaver_%s
  • application_%s
  • website_%s
  • product_%s
  • letter_%s
  • information_%s
  • details_%s
  • file_%s
  • document_%s
  • important_%s
  • approved_%s

(Where %s will be replaced with the portion of the recipient's email address before the @ - e.g. if the email address in the To: field is user@mail.com, %s would be replaced with the string "user". The _ and %s may be omitted)

Symptoms

 The worm copies itself into the Windows directory using the filename VisualGuard.exe.  For example:

  • C:\WINDOWS\VisualGuard.exe (24,064 bytes)

A Registry key is created to load the worm at system start.

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
    "NetDy" = %WinDir%\VisualGuard.exe  

The following files are also created in the WINDOWS directory:

  • base64.tmp (base64 encoded version of the executable)
  • zip1.tmp (base64 encoded version of worm in zip archive)
  • zip2.tmp (base64 encoded version of worm in zip archive)
  • zip3.tmp (base64 encoded version of worm in zip archive)
  • zip4.tmp (base64 encoded version of worm in zip archive)
  • zip5.tmp (base64 encoded version of worm in zip archive)
  • zip6.tmp (base64 encoded version of worm in zip archive)
  • zipped.tmp (worm in zip archive)

Virus removal
The virus removes various Registry values.  Some of these are associated with other viruses, trojans, and applications.

The following registry key values are deleted:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "au.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "d3dupdate.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Explorer"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "OLE"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Taskmon"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "DELETE ME"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Explorer"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "msgsvr32"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Sentry"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "service"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "system."
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Taskmon"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunServices "system."
  • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Method of Infection

This worm spreads by email, constructing messages using its own SMTP engine.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

--Update 04/16/2004 14:30 PST
W32/Netsky.w@MM has been updated to low-profiled due to press at http://www.techweb.com/wire/story/TWB20040416S0007

--

This variant of W32/Netsky is similar to W32/Netsky.n@MM . It bears the following characteristics:

  • constructs messages using its own SMTP engine
  • harvests email addresses from the victim machine
  • spoofs the From: address of messages

This worm is detected with current DATs as W32/Netsky.gen@MM with scanning compressed files enabled. Specific detection will be added to the 4352 DATs.

Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

  • .adb
  • .asp
  • .cgi
  • .dbx
  • .dhtm
  • .doc
  • .eml
  • .htm
  • .html
  • .jsp
  • .msg
  • .oft
  • .php
  • .pl
  • .rtf
  • .sht
  • .shtm
  • .tbb
  • .txt
  • .uin
  • .vbs
  • .wab
  • .wsh
  • .xml

Constructed messages bear the following characteristics:

From: (forged address taken from infected system)
Subject: (Taken from the following list)

Part 1 (one of the following)

  • Re:
  • Re: Re:

Part 2 (one of the following)

  • my
  • your
  • (blank)

Part 3 (one of the following)

  • read it immediately
  • important
  • improved
  • patched
  • corrected
  • approved
  • thanks!
  • hello
  • hi
  • here
  • document_all
  • text
  • message
  • data
  • excel document
  • word document
  • bill
  • screensaver
  • application
  • website
  • product
  • letter
  • information
  • details
  • file
  • document
  • important
  • approved

Body: (Taken from the following list)

  • Your details.
  • Your document.
  • I have received your document. The corrected document is attached.
  • I have attached your document.
  • Your document is attached to this mail.
  • Authentication required.
  • Requested file.
  • See the file.
  • Please read the important document.
  • Please confirm the document.
  • Your file is attached.
  • Please read the document.
  • Your document is attached.
  • Please read the attached file.
  • Please see the attached file for details.

Closing: (all messages are ended with the following text)

--------------------------------------------
(attachment_name) : No virus found
Powered by the new Norton OnlineScan
Get protected: www.symantec.com

Attachment: (Taken from the following list, followed by .ZIP, .PIF, .EXE, .SCR)

  • document_all_%s
  • text_%s
  • message_%s
  • data_%s
  • excel document_%s
  • word document_%s
  • bill_%s
  • screensaver_%s
  • application_%s
  • website_%s
  • product_%s
  • letter_%s
  • information_%s
  • details_%s
  • file_%s
  • document_%s
  • important_%s
  • approved_%s

(Where %s will be replaced with the portion of the recipient's email address before the @ - e.g. if the email address in the To: field is user@mail.com, %s would be replaced with the string "user". The _ and %s may be omitted)

Symptoms

Symptoms -

 The worm copies itself into the Windows directory using the filename VisualGuard.exe.  For example:

  • C:\WINDOWS\VisualGuard.exe (24,064 bytes)

A Registry key is created to load the worm at system start.

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
    "NetDy" = %WinDir%\VisualGuard.exe  

The following files are also created in the WINDOWS directory:

  • base64.tmp (base64 encoded version of the executable)
  • zip1.tmp (base64 encoded version of worm in zip archive)
  • zip2.tmp (base64 encoded version of worm in zip archive)
  • zip3.tmp (base64 encoded version of worm in zip archive)
  • zip4.tmp (base64 encoded version of worm in zip archive)
  • zip5.tmp (base64 encoded version of worm in zip archive)
  • zip6.tmp (base64 encoded version of worm in zip archive)
  • zipped.tmp (worm in zip archive)

Virus removal
The virus removes various Registry values.  Some of these are associated with other viruses, trojans, and applications.

The following registry key values are deleted:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "au.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "d3dupdate.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Explorer"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "OLE"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Taskmon"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "DELETE ME"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Explorer"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "msgsvr32"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Sentry"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "service"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "system."
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Taskmon"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunServices "system."
  • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Method of Infection

Method of Infection -

This worm spreads by email, constructing messages using its own SMTP engine.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A