My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Netsky.X@mm

MEDIUM
LOW
24,064 bytes (UPX)

Symptoms

The worm comes as an attachment in an email. When executed, it copies itself to:
  • %WINDIR%\\VisualGuard.exe

and adds the following registry entry to ensure it will be executed at every Windows startup:

  • [HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
NetDy = %WINDIR%\\VisualGuard.exe


To ensure there's only one copy of the worm that runs in the system, it creates a mutex with the following name:

  • NetDy_Mutex_Psycho


It also creates the following files:

  • %WINDIR%\\base64.tmp - MIME-encoded copy of the executable
  • %WINDIR%\\zip[1-6].tmp - six MIME-encoded different ZIP archives contaning the worm (only the name of the archived executable differs)
  • %WINDIR%\\zipped.tmp - ZIP archive containing the worm's executable; this file is used when generating the six files mentioned above.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Raul TOSA, virus researcher

Technical Description:

The worm parses all the files with the following extensions, to gather email addresses:
  • .pl
  • .htm
  • .html
  • .eml
  • .txt
  • .php
  • .asp
  • .wab
  • .doc
  • .vbs
  • .rtf
  • .uin
  • .shtm
  • .cgi
  • .dhtm
  • .adb
  • .tbb
  • .dbx
  • .sht
  • .oft
  • .msg
  • .jsp
  • .wsh
  • .xml

The email that will be sent to the gathered addresses will have the following form:

SENDER:
  • one of the gathered email addresses, that it will harvest, too
or
  • chris_sexana@aol.com

SUBJECT:
Composed from the following groups:
  • Re:
  • Re: Re:
  • your
  • my
  • approved
  • important
  • document
  • file
  • details
  • information
  • letter
  • product
  • website
  • application
  • screensaver
  • bill
  • word document
  • excel document
  • data
  • message
  • text
  • document_all
  • here
  • hi
  • hello
  • thanks!
  • corrected
  • patched
  • improved
  • important
  • read it imediately

Some of the above groups may be blank.

BODY:

One of the following:
  • Please see the attached file for details.
  • Please read the attached file.
  • Your document is attached.
  • Please read the document.
  • Your file is attached.
  • Please confirm the document.
  • Please read the important document.
  • See the file.
  • Requested file.
  • Authentication required.
  • Your document is attached to this mail.
  • I have attached your document.
  • I have received your document. The corrected document is attached.
  • Your document.
  • Your details.


ATTACHMENT:

A name choosed from the following:
  • document
  • file
  • details
  • information
  • letter
  • product
  • website
  • application
  • screensaver
  • bill
  • word document
  • excel document
  • data
  • message
  • text
  • document_all
And an extension:
  • .SCR
  • .EXE
  • .PIF
  • .ZIP
When the ZIP extension is used, the archived executable may have one of the following names:
  • "your_details.doc .exe"
  • "document.htm .scr"
  • "doc.txt .exe"
  • "doc.pif"
  • "your_details.scr"
  • "document.exe"



The worm uses it's own SMTP engine to spread itself.

It will also try to delete the following registry keys from

[HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
[HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
[HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices]
  • "ssate.exe"
  • "srate.exe"
  • "sysmon.exe"
  • "Taskmon"
  • "rate.exe"
  • "gouday.exe"
  • "Sentry.exe"
  • "OLE"
  • "d3dupdate.exe"
  • "DELETE ME"
  • "service"
  • "au.exe"
  • "msgsvr32"
  • "system."
  • "Explorer"

and any other keys contained in:

[HKLM\\System\\CurrentControlSet\\Services\\WksPatch]
[HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PINF]
[HKCR\\CLSID\\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\\InProcServer32]