Content

W32/Netsky.y@MM

Type
Virus
SubType
E-mail
Discovery Date
04/20/2004
Length
18,944 bytes
Minimum DAT
4335 (03/08/2004)
Updated DAT
4994 (03/28/2007)
Minimum Engine
5.1.00
Description Added
04/20/2004
Description Modified
04/20/2004 2:00 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This virus is detected with 4335 DATs and higher as a variant of W32/Netsky.  Specific detection will be added to the next DAT update.

This variant of W32/Netsky is very similar to previous variants. It bears the following characteristics:

  • constructs messages using its own SMTP engine
  • harvests email addresses from the victim machine
  • spoofs the From: address of messages
  • delivers a DoS attack on certain web sites upon a specific date condition

Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

  • adb
  • .asp
  • .cfg
  • .cgi
  • .dbx
  • .dhtm
  • .doc
  • .eml
  • .htm
  • .html
  • .jsp
  • .mbx
  • .mdx
  • .mht
  • .mmf
  • .msg
  • .nch
  • .ods
  • .oft
  • .php
  • .pl
  • .ppt
  • .rtf
  • .sht
  • .shtm
  • .stm
  • .tbb
  • .txt
  • .uin
  • .vbs
  • .wsh
  • .wab
  • .xls
  • .xml   

Constructed messages bear the following characteristics:

From: This is spoofed (using harvested email addresses)
Subject: Always the following

  • Delivery failure notice (ID-%random 8-digit hex number% )

Body: This is composed of two parts.  The first word is chosen from the following list.

  • New
  • Partial 
  • External    
  • Delivered  

The second part of the message body is always the following.

  • message is available.

Attachment: The attachment arrives as a .COM file. The first part of the filename is constructed as follows

  • www.%domain name% .%user name% .session-%random 8-digit hex number% .com

For example, if the email address in the To:  address was user@email.com , the file name might be " www.email.com.user.session-000078E9. com ".

Denial of Service

If the local system date is between April 28th and April 31st, it targets the following remote servers in a denial of service attack:

  • www.educa.ch
  • www.nedinfo.ufl.edu
  • www.nibis.de

As there is no 31st of April, this effectively means the DoS ceases on the 30th.

System Changes

The worm installs itself on the victim machine as FirewallSvr.exe in the Windows directory:

  • %WinDir%\FirewallSvr.exe

The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\Run "FirewallSvr" = %WinDir%\FirewallSvr.exe

A base-64 encoded copy of the worm is saved to disk as F***_YOU_BAGLE.TXT (letters omitted, replaced with *) in the Windows directory:

  • %WinDir%\f***_you_bagle.txt

Symptoms

  • Existence of files and registry keys as mentioned above
  • Unexpected network traffic
  • Outgoing DNS queries to one of the following hard-coded IP addresses

    • 212.44.160.8
    • 195.185.185.195
    • 151.189.13.35
    • 213.191.74.19
    • 193.189.244.205
    • 145.253.2.171
    • 193.141.40.42
    • 194.25.2.134
    • 194.25.2.133
    • 194.25.2.132
    • 194.25.2.131
    • 193.193.158.10
    • 212.7.128.165
    • 212.7.128.162
    • 193.193.144.12
    • 217.5.97.137
    • 195.20.224.234
    • 194.25.2.130
    • 194.25.2.129
    • 212.185.252.136
    • 212.185.253.70
    • 212.185.252.73

    • Method of Infection

    This worm spreads by email, constructing messages using its own SMTP engine.

    Removal

    Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    This virus is detected with 4335 DATs and higher as a variant of W32/Netsky.  Specific detection will be added to the next DAT update.

    This variant of W32/Netsky is very similar to previous variants. It bears the following characteristics:

    • constructs messages using its own SMTP engine
    • harvests email addresses from the victim machine
    • spoofs the From: address of messages
    • delivers a DoS attack on certain web sites upon a specific date condition

    Mail Propagation

    Email addresses are harvested from the victim machine. Files with the following extensions are searched:

    • adb
    • .asp
    • .cfg
    • .cgi
    • .dbx
    • .dhtm
    • .doc
    • .eml
    • .htm
    • .html
    • .jsp
    • .mbx
    • .mdx
    • .mht
    • .mmf
    • .msg
    • .nch
    • .ods
    • .oft
    • .php
    • .pl
    • .ppt
    • .rtf
    • .sht
    • .shtm
    • .stm
    • .tbb
    • .txt
    • .uin
    • .vbs
    • .wsh
    • .wab
    • .xls
    • .xml   

    Constructed messages bear the following characteristics:

    From: This is spoofed (using harvested email addresses)
    Subject: Always the following

    • Delivery failure notice (ID-%random 8-digit hex number% )

    Body: This is composed of two parts.  The first word is chosen from the following list.

    • New
    • Partial 
    • External    
    • Delivered  

    The second part of the message body is always the following.

    • message is available.

    Attachment: The attachment arrives as a .COM file. The first part of the filename is constructed as follows

    • www.%domain name% .%user name% .session-%random 8-digit hex number% .com

    For example, if the email address in the To:  address was user@email.com , the file name might be " www.email.com.user.session-000078E9. com ".

    Denial of Service

    If the local system date is between April 28th and April 31st, it targets the following remote servers in a denial of service attack:

    • www.educa.ch
    • www.nedinfo.ufl.edu
    • www.nibis.de

    As there is no 31st of April, this effectively means the DoS ceases on the 30th.

    System Changes

    The worm installs itself on the victim machine as FirewallSvr.exe in the Windows directory:

    • %WinDir%\FirewallSvr.exe

    The following Registry key is added to hook system startup:

    • HKEY_LOCAL_MACHINE\Software\Microsoft\
      Windows\CurrentVersion\Run "FirewallSvr" = %WinDir%\FirewallSvr.exe

    A base-64 encoded copy of the worm is saved to disk as F***_YOU_BAGLE.TXT (letters omitted, replaced with *) in the Windows directory:

    • %WinDir%\f***_you_bagle.txt

    Symptoms

    Symptoms -

  • Existence of files and registry keys as mentioned above
  • Unexpected network traffic
  • Outgoing DNS queries to one of the following hard-coded IP addresses

    • 212.44.160.8
    • 195.185.185.195
    • 151.189.13.35
    • 213.191.74.19
    • 193.189.244.205
    • 145.253.2.171
    • 193.141.40.42
    • 194.25.2.134
    • 194.25.2.133
    • 194.25.2.132
    • 194.25.2.131
    • 193.193.158.10
    • 212.7.128.165
    • 212.7.128.162
    • 193.193.144.12
    • 217.5.97.137
    • 195.20.224.234
    • 194.25.2.130
    • 194.25.2.129
    • 212.185.252.136
    • 212.185.253.70
    • 212.185.252.73

    • Method of Infection

    Method of Infection -

    This worm spreads by email, constructing messages using its own SMTP engine.

    Removal -

    Removal -

    Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A