McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

-- Update April 23, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci961097,00.html

This detection is for a new variant of W32/Netsky. It bears the following characteristics:

• harvests email addresses from the victim machine
• contains its own SMTP engine to construct outgoing messages
• attaches itself within a ZIP archive to emails
• spoofs the From: address
• delivers a denial of service payload to certain web sites upon a date condition

Mail Propagation

The virus harvests email addresses from files on the victim machine with the following extensions:

• .adb
• .asp
• .cfg
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .html
• .jsp
• .mbx
• .mdx
• .mht
• .mmf
• .msg
• .nch
• .oft
• .php
• .ods
• .pl
• .ppt
• .rtf
• .sht
• .shtm
• .stm
• .tbb
• .txt
• .uin
• .vbs
• .wab
• .wsh
• .xls
• .xml

Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:

From: spoofed (using harvested email addresses)
Subject: selected from one of the following:

• Document
• Hello
• Hi
• Important
• Important bill!
• Important data!
• Important details!
• Important document!
• Important informations!
• Important notice!
• Important textfile!
• Important!
• Information

• Bill.zip
• Data.zip
• Details.zip
• Important.zip
• Informations.zip
• Notice.zip
• Part-2.zip
• Textfile.zip

The ZIP archive contains the worm. It is not password protected. The filename of the worm within the ZIP is chosen to match the subject and ZIP name:

• Bill.txt (many spaces) .exe
• Data.txt (many spaces) .exe
• Details.txt (many spaces) .exe
• Important.txt (many spaces) .exe
• Informations.txt (many spaces) .exe
• Notice.txt (many spaces) .exe
• Part-2.txt (many spaces) .exe
• Textfile.txt (many spaces) .exe

Denial of Service Payload

Upon a certain date condition, the virus targets the following domains in a denial of service attack (HTTP):

• www.nibis.de
• www.medinfo.ufl.edu
• www.educa.ch

System Changes

The virus installs itself on the victim machine as JAMMER2ND.EXE:

• %WinDir%\JAMMER2ND.EXE

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "Jammer2nd" = %WinDir%\JAMMER2ND.EXE

Copies of the worm in a ZIP archive (some Base64 encoded) are written to the victim machine:

• PK_ZIPn.LOG

(where n is an integer).

Symptoms

• Outgoing DNS queries to one of the following hard-coded IP addresses:
  • 145.253.2.171
  • 151.189.13.35
  • 193.141.40.42
  • 193.189.244.205
  • 193.193.144.12
  • 193.193.158.10
  • 194.25.2.129
  • 194.25.2.130
  • 194.25.2.131
  • 194.25.2.132
  • 194.25.2.133
  • 194.25.2.134
  • 195.185.185.195
  • 195.20.224.234
  • 212.185.252.136
  • 212.185.252.73
  • 212.185.253.70
  • 212.44.160.8
  • 212.7.128.162
  • 212.7.128.165
  • 213.191.74.19
  • 217.5.97.137
• Existence of the files and Registry keys detailed above.

Method of Infection

This worm spreads by email, constructing messages using its own SMTP engine.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update April 23, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci961097,00.html

This detection is for a new variant of W32/Netsky. It bears the following characteristics:

• harvests email addresses from the victim machine
• contains its own SMTP engine to construct outgoing messages
• attaches itself within a ZIP archive to emails
• spoofs the From: address
• delivers a denial of service payload to certain web sites upon a date condition

Mail Propagation

The virus harvests email addresses from files on the victim machine with the following extensions:

• .adb
• .asp
• .cfg
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .html
• .jsp
• .mbx
• .mdx
• .mht
• .mmf
• .msg
• .nch
• .oft
• .php
• .ods
• .pl
• .ppt
• .rtf
• .sht
• .shtm
• .stm
• .tbb
• .txt
• .uin
• .vbs
• .wab
• .wsh
• .xls
• .xml

Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:

From: spoofed (using harvested email addresses)
Subject: selected from one of the following:

• Document
• Hello
• Hi
• Important
• Important bill!
• Important data!
• Important details!
• Important document!
• Important informations!
• Important notice!
• Important textfile!
• Important!
• Information

• Bill.zip
• Data.zip
• Details.zip
• Important.zip
• Informations.zip
• Notice.zip
• Part-2.zip
• Textfile.zip

The ZIP archive contains the worm. It is not password protected. The filename of the worm within the ZIP is chosen to match the subject and ZIP name:

• Bill.txt (many spaces) .exe
• Data.txt (many spaces) .exe
• Details.txt (many spaces) .exe
• Important.txt (many spaces) .exe
• Informations.txt (many spaces) .exe
• Notice.txt (many spaces) .exe
• Part-2.txt (many spaces) .exe
• Textfile.txt (many spaces) .exe

Denial of Service Payload

Upon a certain date condition, the virus targets the following domains in a denial of service attack (HTTP):

• www.nibis.de
• www.medinfo.ufl.edu
• www.educa.ch

System Changes

The virus installs itself on the victim machine as JAMMER2ND.EXE:

• %WinDir%\JAMMER2ND.EXE

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "Jammer2nd" = %WinDir%\JAMMER2ND.EXE

Copies of the worm in a ZIP archive (some Base64 encoded) are written to the victim machine:

• PK_ZIPn.LOG

(where n is an integer).

Symptoms

Symptoms -

• Outgoing DNS queries to one of the following hard-coded IP addresses:
  • 145.253.2.171
  • 151.189.13.35
  • 193.141.40.42
  • 193.189.244.205
  • 193.193.144.12
  • 193.193.158.10
  • 194.25.2.129
  • 194.25.2.130
  • 194.25.2.131
  • 194.25.2.132
  • 194.25.2.133
  • 194.25.2.134
  • 195.185.185.195
  • 195.20.224.234
  • 212.185.252.136
  • 212.185.252.73
  • 212.185.253.70
  • 212.44.160.8
  • 212.7.128.162
  • 212.7.128.165
  • 213.191.74.19
  • 217.5.97.137
• Existence of the files and Registry keys detailed above.

Method of Infection

Method of Infection -

This worm spreads by email, constructing messages using its own SMTP engine.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A