McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This detection is for a new variant of W32/Netsky. It bears the following characteristics:

• harvests email addresses from the victim machine
• contains its own SMTP engine to construct outgoing messages
• emails arrives as a PIF extension attachment
• spoofs the From: address

Mail Propagation

The virus harvests email addresses from files on the victim machine with the following extensions:

• .adb
• .asp
• .cfg
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .html
• .jsp
• .mbx
• .mdx
• .mht
• .mmf
• .msg
• .nch
• .oft
• .php
• .ods
• .pl
• .ppt
• .rtf
• .sht
• .shtm
• .stm
• .tbb
• .txt
• .uin
• .vbs
• .wab
• .wsh
• .xls
• .xml

Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:

From: spoofed (using harvested email addresses)
Subject: (selected from one of the following)

• Re: Advice
• Re: Application
• Re: Approved
• Re: Bill
• Re: Cheaper
• Re: Contacts
• Re: Demo
• Re: Details
• Re: Document
• Re: e-Books
• Re: Error
• Re: Fax number
• Re: Final
• Re: Hello
• Re: Hi
• Re: Information
• Re: Job
• Re: Letter
• Re: List
• Re: Missed
• Re: Movie
• Re: Music
• Re: Paint file
• Re: Patch
• Re: Photos
• Re: Poster
• Re: Presentation
• Re: Pricelist
• Re: Private
• Re: Product
• Re: Step by Step
• Re: Summary
• Re: Tel. Numbers
• Re: Text
• Re: Text file
• Re: Thank you!
• Re: War
• Re: Website

Body: (selected from one of the following)

• For furher details see the attached file.
• Here is the file.
• Please have a look at the attached file.
• Please read the attached file.
• Please take the attached file.
• Please view the attached file.
• See the attached file for details.
• Your document is attached.
• Your file is attached.

Attachment: (PIF extensions with one of the following filenames)

• My_Advice.pif
• My_Fax_Numbers.pif
• My_Telephone_Numbers.pif
• Osam_Bin_Laden_Articel_42.pif
• Your_Bill.pif
• Your_Contacts.pif
• Your_Demo.pif
• Your_Description.pif
• Your_Details.pif
• Your_Digicam_Pictures.pif
• Your_Document.pif
• Your_Document_Part3.pif
• Your_E-Books.pif
• Your_Error.pif
• Your_Excel_Document.pif
• Your_Final_Document.pif
• Your_Information.pif
• Your_Job.pif
• Your_Letter.pif
• Your_List.pif
• Your_Movie.pif
• Your_Music.pif
• Your_Paint_File.pif
• Your_Patch.pif
• Your_Pics.pif
• Your_Poster.pif Your_Presentation.pif
• Your_Pricelist.pif
• Your_Private_Document.pif
• Your_Product.pif
• Your_Product_List.pif
• Your_Software.pif
• Your_Summary.pif
• Your_Text.pif
• Your_Text_File.pif
• Your_Website.pif

System Changes

When executed, the following fake error box appears:

The virus installs itself on the victim machine as WINLOGON.SCR:

• %WinDir%\WINLOGON.SCR

(%WinDir% = Windows directory, such as c:\windows or c:\winnt)

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Skynetsrevenge" =  %WinDir%\WINLOGON.SCR

Symptoms

• Outgoing DNS queries to one of the following hard-coded IP addresses:
  • 145.253.2.171
  • 151.189.13.35
  • 193.141.40.42
  • 193.189.244.205
  • 193.193.144.12
  • 193.193.158.10
  • 194.25.2.129
  • 194.25.2.130
  • 194.25.2.131
  • 194.25.2.132
  • 194.25.2.133
  • 194.25.2.134
  • 195.185.185.195
  • 195.20.224.234
  • 212.185.252.136
  • 212.185.252.73
  • 212.185.253.70
  • 212.44.160.8
  • 212.7.128.162
  • 212.7.128.165
  • 213.191.74.19
  • 217.5.97.137
  • 62.155.255.16
• Existence of the files and Registry keys detailed above

Method of Infection

This worm spreads by email, constructing messages using its own SMTP engine.

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This detection is for a new variant of W32/Netsky. It bears the following characteristics:

• harvests email addresses from the victim machine
• contains its own SMTP engine to construct outgoing messages
• emails arrives as a PIF extension attachment
• spoofs the From: address

Mail Propagation

The virus harvests email addresses from files on the victim machine with the following extensions:

• .adb
• .asp
• .cfg
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .html
• .jsp
• .mbx
• .mdx
• .mht
• .mmf
• .msg
• .nch
• .oft
• .php
• .ods
• .pl
• .ppt
• .rtf
• .sht
• .shtm
• .stm
• .tbb
• .txt
• .uin
• .vbs
• .wab
• .wsh
• .xls
• .xml

Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:

From: spoofed (using harvested email addresses)
Subject: (selected from one of the following)

• Re: Advice
• Re: Application
• Re: Approved
• Re: Bill
• Re: Cheaper
• Re: Contacts
• Re: Demo
• Re: Details
• Re: Document
• Re: e-Books
• Re: Error
• Re: Fax number
• Re: Final
• Re: Hello
• Re: Hi
• Re: Information
• Re: Job
• Re: Letter
• Re: List
• Re: Missed
• Re: Movie
• Re: Music
• Re: Paint file
• Re: Patch
• Re: Photos
• Re: Poster
• Re: Presentation
• Re: Pricelist
• Re: Private
• Re: Product
• Re: Step by Step
• Re: Summary
• Re: Tel. Numbers
• Re: Text
• Re: Text file
• Re: Thank you!
• Re: War
• Re: Website

Body: (selected from one of the following)

• For furher details see the attached file.
• Here is the file.
• Please have a look at the attached file.
• Please read the attached file.
• Please take the attached file.
• Please view the attached file.
• See the attached file for details.
• Your document is attached.
• Your file is attached.

Attachment: (PIF extensions with one of the following filenames)

• My_Advice.pif
• My_Fax_Numbers.pif
• My_Telephone_Numbers.pif
• Osam_Bin_Laden_Articel_42.pif
• Your_Bill.pif
• Your_Contacts.pif
• Your_Demo.pif
• Your_Description.pif
• Your_Details.pif
• Your_Digicam_Pictures.pif
• Your_Document.pif
• Your_Document_Part3.pif
• Your_E-Books.pif
• Your_Error.pif
• Your_Excel_Document.pif
• Your_Final_Document.pif
• Your_Information.pif
• Your_Job.pif
• Your_Letter.pif
• Your_List.pif
• Your_Movie.pif
• Your_Music.pif
• Your_Paint_File.pif
• Your_Patch.pif
• Your_Pics.pif
• Your_Poster.pif Your_Presentation.pif
• Your_Pricelist.pif
• Your_Private_Document.pif
• Your_Product.pif
• Your_Product_List.pif
• Your_Software.pif
• Your_Summary.pif
• Your_Text.pif
• Your_Text_File.pif
• Your_Website.pif

System Changes

When executed, the following fake error box appears:

The virus installs itself on the victim machine as WINLOGON.SCR:

• %WinDir%\WINLOGON.SCR

(%WinDir% = Windows directory, such as c:\windows or c:\winnt)

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Skynetsrevenge" =  %WinDir%\WINLOGON.SCR

Symptoms

Symptoms -

• Outgoing DNS queries to one of the following hard-coded IP addresses:
  • 145.253.2.171
  • 151.189.13.35
  • 193.141.40.42
  • 193.189.244.205
  • 193.193.144.12
  • 193.193.158.10
  • 194.25.2.129
  • 194.25.2.130
  • 194.25.2.131
  • 194.25.2.132
  • 194.25.2.133
  • 194.25.2.134
  • 195.185.185.195
  • 195.20.224.234
  • 212.185.252.136
  • 212.185.252.73
  • 212.185.253.70
  • 212.44.160.8
  • 212.7.128.162
  • 212.7.128.165
  • 213.191.74.19
  • 217.5.97.137
  • 62.155.255.16
• Existence of the files and Registry keys detailed above

Method of Infection

Method of Infection -

This worm spreads by email, constructing messages using its own SMTP engine.

Removal -

Removal -

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A