My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Netsky.D@mm

HIGH
LOW
17424 bytes (packed)
(Email-Worm.Win32.NetSky.d, Win32/Netsky.D@mm, Win32.HLLM.Netsky, W32.Netsky.D@mm)

Symptoms

  • Existence of a file winlogon.exe in the Windows (c:\\windows usually) directory with the size of 17424. (Warning! The winlogon.exe in the system directory - c:\\windows\\system32 usually - is part of the operating system! Deleting it can result in inability of booting the computer!)
  • Existence of a value named "ICQ Net" in the registry in the key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the value "%Windows%\\winlogon.exe -stealth", where %Windows% is the Windows installation directory (usually c:\\Windows).
  • An intermittent beeping sound emitted by the computer if the date is March 2, 2004 and the time is between 6:00 AM and 9:00 AM.

Removal instructions:

Please let BitDefender delete the infected files.

Analyzed By

Attila Balazs, virus researcher

Technical Description:

The malware is packed with the PEtite packer. It uses a mutex named "[SkyNet.cz]SystemMutex" to ensure that a single instance of it is running. If copies itself in the Windows directory (usually c:\\windows) with the name winlogon.exe and creates a string value with the name "ICQ Net" in the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the contents "%Windows%\\winlogon.exe -stealth", where %Windows% is the windows directory. This ensures that it is run when starting Windows.

The malware searches through all the available drives (A trough Z) which are not of CD-ROM type (this includes floppy drives, USB drives and network shares mapped with drive letters) for files with the following extensions:

  • .adb
  • .asp
  • .cgi
  • .dbx
  • .dhtm
  • .doc
  • .eml
  • .htm
  • .html
  • .msg
  • .oft
  • .php
  • .pl
  • .rtf
  • .sht
  • .shtm
  • .tbb
  • .txt
  • .uin
  • .vbs
  • .wab

for e-mail addresses. Addresses which contain any of the following strings as part of them are not collected (presumably to thwart the detection and investigation of this malware):

  • skynet
  • messagelabs
  • abuse
  • fbi
  • orton
  • f-pro
  • aspersky
  • cafee
  • orman
  • itdefender
  • f-secur
  • avp
  • spam
  • ymantec
  • antivi
  • icrosoft

When an Internet connection is detected, it tries to send itself to the collected e-mail addresses. For this purpose it uses its built-in SMPT engine and the system default DNS to get the MX records for the target domains. If it fails to obtain the MX records with the system default DNS server, it will try the following alternate DNS servers:

  • 212.44.160.8
  • 195.185.185.195
  • 151.189.13.35
  • 213.191.74.19
  • 193.189.244.205
  • 145.253.2.171
  • 193.141.40.42
  • 194.25.2.134
  • 194.25.2.133
  • 194.25.2.132
  • 194.25.2.131
  • 193.193.158.10
  • 212.7.128.165
  • 212.7.128.162
  • 193.193.144.12
  • 217.5.97.137
  • 195.20.224.234
  • 194.25.2.130
  • 194.25.2.129
  • 212.185.252.136
  • 212.185.253.70
  • 212.185.252.73
  • 62.155.255.16

The sent e-mail will have in the subject field one of the following strings:

  • Re: Your website
  • Re: Your product
  • Re: Your letter
  • Re: Your archive
  • Re: Your text
  • Re: Your bill
  • Re: Your details
  • Re: My details
  • Re: Word file
  • Re: Excel file
  • Re: Details
  • Re: Approved
  • Re: Your software
  • Re: Your music
  • Re: Here
  • Re: Re: Re: Your document
  • Re: Hello
  • Re: Hi
  • Re: Re: Message
  • Re: Your picture
  • Re: Here is the document
  • Re: Your document
  • Re: Thanks!
  • Re: Re: Thanks!
  • Re: Re: Document
  • Re: Document

And it will contain an attachment (consisting of a copy of the virus) with one of the following possible names:

  • your_website.pif
  • your_product.pif
  • your_letter.pif
  • your_archive.pif
  • your_text.pif
  • your_bill.pif
  • your_details.pif
  • document_word.pif
  • document_excel.pif
  • my_details.pif
  • all_document.pif
  • application.pif
  • mp3music.pif
  • yours.pif
  • document_4351.pif
  • your_file.pif
  • message_details.pif
  • your_picture.pif
  • document_full.pif
  • message_part2.pif
  • document.pif
  • your_document.pif

It tries to delete the following registry keys related to other malware in an attempt to prevent them from running:

  • HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run Windows Services Host
  • HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WksPatch
  • HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PINF
  • HKEY_LOCAL_MACHINE\\Software\Microsoft\\Windows\\CurrentVersion\\Run\\Sentry
  • HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OLE
  • HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\service
  • HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\KasperskyAv
  • HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\KasperskyAv
  • HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\au.exe
  • HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\d3dupdate.exe
  • HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DELETE ME
  • HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\msgsvr32