12832 bytes (packed with UPX)
Presence of next files in Windows folder (%WINDIR%, e.g. C:\Windows):
"Eml.tmp" is a local database of mails collected by the worm from infected computer.
"Exe.tmp" is a exact copy of "netwatch.exe" and "zip.tmp" is a zip file containing "photos.jpg.exe" which is in fact "netwatch.exe".
The .tmp files enumerated here have hidden file attribute, thus they are not visible by default using Windows Explorer.
Presence of "netwatch.exe" in the process list (visible in Task Manager -> Processes under Win200/XP)
Presence of registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetWatch32 set to %WINDIR%\netwatch.exe
Manual removal: open Task Manaker pressing [CTRL]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
use "End Process" on "netwatch.exe"
delete all files enumarated at the beginning of this description from Windows directory
open Registry Editor using +, regedit,
remove this key: "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetWatch32"
Automatic removal: let BitDefender disinfect infected files
Mircea Ciubotariu BitDefender Virus Researcher
The worm spreads itself via email, attatched as "photos.zip" and is found in mails with subject "Re: our private photos" and body as follows:
Finally i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Even if it is a brand new malware, the first thing it does when run is to import and call "RegisterServiceProcess" from KERNEL32.DLL, a function available only for Win9x in order to hide its process from Task Manager.
After that the worm copies itself in %WINDIR% directory and starts collecting mail addressing scanning recursively filtering files under "Program Files" folder and HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folder registry list of folders for strings with form "firstname.lastname@example.org" - mail addresses - where xxx is almost any non-null string. Because of the way this function was written it seems it was included in source as assembler code.
The files are filtered by their extension and .com, .wav, .cab, .pdf and other binary files are excluded from search.
Some hard coded mail address are included in executable body as follows:
It was written in C++ and compiled using LCC-Win32.