McAfee > Theat Center > Virus Detail Page

-- Update October 22nd 2004 --

The risk assessment of this threat has been deemed Low-Profiled due to the following media attention:

http://www.zdnet.com.au/news/security/0,2000061744,39163849,00.htm

The worm is referred to as a new Netsky variant within this article. (Upon analysis the worm is not considered to be a member of the W32/Netsky family, though detection as W32/Netsky.ah@MM existed in the beta DATs briefly.)

--

When this worm is run, it does not configure itself to load at system startup.  It does not mail as a ZIP attachment, nor does it use varying message characteristics or spread over network shares.  There are at least 2 such variants that were discovered today, with minor differences between them.  Testing shows the variants to contain bugs, which may prevent them from functioning on many systems.

This mass-mailing virus attempts to send itself to email addresses found on the local system.  The virus is received in an email message as follows:

To: recipients_email_address
From : recipients_email_address
Subject : Mail Delivery failure - recipients_email_address
Body :

Attachment : message txt                                length %random number%  bytes                                                                    mcafee.com

When the attachment is manually executed on a Windows based system, the virus will attempt to drop a downloader trojan component to:

• c:\csrss.exe

The trojan creates the following run key:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Key Logger" = c:\csrss.exe

When run, the trojan creates the following file:

• c:\csrss.bin

The virus attempts to harvest email addresses from files containing the following extensions:

• .dbx
• .wab
• .mbx
• .eml
• .mdb
• .tbb
• .dat

Or files containing the following filename:

• inbox

Viral messages are sent to the addresses that are harvested, as mentioned above.

-- Update October 22nd 2004 --

The risk assessment of this threat has been deemed Low-Profiled due to the following media attention:

http://www.zdnet.com.au/news/security/0,2000061744,39163849,00.htm

The worm is referred to as a new Netsky variant within this article. (Upon analysis the worm is not considered to be a member of the W32/Netsky family, though detection as W32/Netsky.ah@MM existed in the beta DATs briefly.)

--

When this worm is run, it does not configure itself to load at system startup.  It does not mail as a ZIP attachment, nor does it use varying message characteristics or spread over network shares.  There are at least 2 such variants that were discovered today, with minor differences between them.  Testing shows the variants to contain bugs, which may prevent them from functioning on many systems.

This mass-mailing virus attempts to send itself to email addresses found on the local system.  The virus is received in an email message as follows:

To: recipients_email_address
From : recipients_email_address
Subject : Mail Delivery failure - recipients_email_address
Body :

Attachment : message txt                                length %random number%  bytes                                                                    mcafee.com

When the attachment is manually executed on a Windows based system, the virus will attempt to drop a downloader trojan component to:

• c:\csrss.exe

The trojan creates the following run key:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Key Logger" = c:\csrss.exe

When run, the trojan creates the following file:

• c:\csrss.bin

The virus attempts to harvest email addresses from files containing the following extensions:

• .dbx
• .wab
• .mbx
• .eml
• .mdb
• .tbb
• .dat

Or files containing the following filename:

• inbox

Viral messages are sent to the addresses that are harvested, as mentioned above.