My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

W32.NetSky.D@mm

LOW
LOW
aprox 17Kb
(W32.NetSky.D@mm, )

Symptoms

 - a program named "ICQ Net" in Windows Task Manager
 - high network activity
 - high disk activity

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel RADU, virus researcher

Technical Description:

W32.Netsky.D@mm is a mass-mailing worm that sends itself to email addresses it gathers from infected computers.

Actions done by this mailware when run:
 - copy itselfs into windows using "winlogon.exe" name and adds it to startup using registry key:
     * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ICQ Net" = "%Windir%\winlogon.exe -stealth"
    
 - removes a few programs from loading at startup:
     * TaskMon
     * Explorer
     * KasperskyAv
     * msgsvr32
     * au.exe
     * d3dupdate.exe
     * Windows Services Host

 - starts a thread which scans all non-cdrom drives of the computer for files with the following extensions:
    * eml
    * txt
    * php
    * pl
    * htm
    * html
    * vbs
    * rtf
    * uin
    * asp
    * wab
    * doc
    * adb
    * tbb
    * dbx
    * sht
    * oft
    * msg
    * shtm
    * cgi
    * dhtm,

each file found is scanned for mail addresses and saves them unless they contain the following strings:
    * icrosoft
    * antivi
    * ymantec
    * spam
    * avp
    * f-secur
    * itdefender
    * orman
    * cafee
    * aspersky
    * f-pro
    * orton
    * fbi
    * abuse
    * messagelabs
    * skynet
 
 - starts a thread which is the payload: checks if system date is 02.03.2004 and the clock is 0600 or 0700 or 0800 it will generate a random length beep from PC speaker

 - starts a thread which using the collected mails spreads itself using subjects like:

    * Re: Your website
    * Re: Your product
    * Re: Your letter
    * Re: Your archive
    * Re: Your text
    * Re: Your bill
    * Re: Your details
    * Re: My details
    * Re: Word file
    * Re: Excel file
    * Re: Details
    * Re: Approved
    * Re: Your software
    * Re: Your music
    * Re: Here
    * Re: Re: Re: Your document
    * Re: Hello
    * Re: Hi
    * Re: Re: Message
    * Re: Your picture
    * Re: Here is the document
    * Re: Your document
    * Re: Thanks!
    * Re: Re: Thanks!
    * Re: Re: Document
    * Re: Document


and message body like:

    * Your file is attached.
    * Please read the attached file.
    * Please have a look at the attached file.
    * See the attached file for details.
    * Here is the file.
    * Your document is attached.

attachments can have one of the following name:
    * your_website.pif
    * your_product.pif
    * your_letter.pif
    * your_archive.pif
    * your_text.pif
    * your_bill.pif
    * your_details.pif
    * document_word.pif
    * document_excel.pif
    * my_details.pif
    * all_document.pif
    * application.pif
    * mp3music.pif
    * yours.pif
    * document_4351.pif
    * your_file.pif
    * message_details.pif
    * your_picture.pif
    * document_full.pif
    * message_part2.pif
    * document.pif
    * your_document.pif


 - mails are sent using a self made SMTP engine