Win32.Netsky.D@mm( W32/Netsky.d@MM )
SYMPTOMS: Presence of the following file in Windows directory (%WINDIR%)\"winlogon.exe\" Presence of the following entry in \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" registry key: \"ICQ Net\" = \"winlogon.exe -stealth\" TECHNICAL DESCRIPTION: This variant of the NetSky worm (.D) spreads only via e-mail (in contrastwith previous versions, which spread through some P2P applications as well), sending itself to e-mail addresses found in the infected computer. The worm arrives in the following e-mail format: Subject - randomly chosen from the following strings: \"Re: Re: Document\" \"Re: Re: Thanks!\" \"Re: Thanks!\" \"Re: Your document\" \"Re: Here is the document\" \"Re: Your picture\" \"Re: Re: Message\" \"Re: Hi\" \"Re: Hello\" \"Re: Re: Re: Your document\" \"Re: Here\" \"Re: Your music\" \"Re: Your software\" \"Re: Approved\" \"Re: Details\" \"Re: Excel file\" \"Re: Word file\" \"Re: My details\" \"Re: Your details\" \"Re: Your bill\" \"Re: Your text\" \"Re: Your archive\" \"Re: Your letter\" \"Re: Your product\" \"Re: Your website\" Body - randomly chosen from the following strings: \"Your document is attached.\" \"Here is the file.\" \"See the attached file for details.\" \"Please have a look at the attached file.\" \"Please read the attached file.\" \"Your file is attached.\" Attached filename (and extension) - randomly chosen from the following strings: \"your_document.pif\" \"your_document.pif\" \"document.pif\" \"message_part2.pif\" \"your_document.pif\" \"document_full.pif\" \"your_picture.pif\" \"message_details.pif\" \"your_file.pif\" \"your_picture.pif\" \"document_4351.pif\" \"yours.pif\" \"mp3music.pif\" \"application.pif\" \"all_document.pif\" \"my_details.pif\" \"document_excel.pif\" \"document_word.pif\" \"my_details.pif\" \"your_details.pif\" \"your_bill.pif\" \"your_text.pif\" \"your_archive.pif\" \"your_letter.pif\" \"your_product.pif\" \"your_website.pif\" When the user double-clicks the e-mail attachment, the worm does the following: - copies itself to Windows directory (%WINDIR%) as \"winlogon.exe\"; - adds the following entry to \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" registry key: \"ICQ net\" = \"winlogon.exe -stealth\", (so it will be executed each time Windows starts up); - disables some antivirus software and other known worms (such as Win32.Mydoom.A@mm and Win32.Mydoom.B@mm) by deleting relevant registry keys; - scans the infected computers for e-mail addresses in files whose extension is one of the following: \".eml\" \".txt\" \".php\" \".pl\" \".htm\" \".html\" \".vbs\" \".rtf\" \".uin\" \".asp\" \".wab\" \".doc\" \".adb\" \".tbb\" \".dbx\" \".sht\" \".oft\" \".msg\" \".shtm\" \".cgi\" \".dhtm\" - creates and sends e-mails to these addresses with the above described format: - On 01 mar. 2004, between 6:00 and 9:00 am (local time, not GMT) the worm generates in the computer\'s speaker sounds with random tones and durations. This variant (.D) uses an improved routine for sending itself through e-mail, allowing it to be sent several times faster than previous variants (.A - .C). The worm avoids sending itself to addresses containing at least one of the following strings: \"icrosoft\" \"antivi\" \"ymantec\" \"spam\" \"avp\" \"f-secur\" \"itdefender\" \"orman\" \"cafee\" \"aspersky\" \"f-pro\" \"orton\" \"fbi\" \"abuse\" \"messagelabs\" \"skynet\" Removal instructions: Let Bitdefender delete infected files.ANALYZED BY: Adrian GostinBitDefender Virus Researcher |