My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Netsky.C@mm

LOW
LOW
25352 bytes (packed with Petite)
(W32/Netsky.c@MM)

Symptoms

Presence of the following file in Windows directory (%WINDIR%)
winlogon.exe

Presence of the following entry in   "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" registry key:
"ICQ net" = "winlogon.exe -stealth"

Removal instructions:

Let BitDefender delete all the infected files

Analyzed By

Adrian Gostin BitDefender Virus Researcher

Technical Description:

The worm spreads via e-mail and some P2P applications. It sends itself through e-mail to addresses found in the infected computer and copies itself in directories whose names contain the string "shar" (P2P applications, such as Kazaa, usually have their shared files in such directories).

When the user double-clicks the e-mail attachment or downloads and executes a copy
of this worm through a P2P application, the worm does the following:

- copies itself to Windows directory as winlogon.exe;

- adds the following entry to HKLM\ Software\Microsoft\Windows\CurrentVersion\Run registry key: ICQ net = winlogon.exe -stealth, so it will be executed each time Windows starts up;

- disables some antivirus software and other known worms (such as Win32.Mydoom.A@mm and Win32.Mydoom.B@mm) by deleting some registry keys;

- scans the infected computers for e-mail addresses in files whose extension is one of the following:
".eml"
".txt"
".php"
".pl"
".htm"
".html"
".vbs"
".rtf"
".uin"
".asp"
".wab"
".doc"
".adb"
".tbb"
".dbx"
".sht"
".oft"
".msg"
".shtm"
".cgi"
".dhtm"

- creates and sends e-mails with the following characteristics:

Subject: randomly chosen from a large list of strings carried with the worm; here are some of them:
"Deliver Error"
"Message Error"
"Server Error"
"what means that?"
"help attached"
"..."
"ok..."
"Attachment from Poland"
"that is interesting..."
"i wait for your comment about it."
"such as yours?"
"read the details."
"gonna?"
"here is the document."
"*lol*"
"read it immediately!"
"i found that about you!"
"your hero in the picture?"
"yours?"
"here is it."
"illegal st. of you?"
"is that true?"
"account?"
"is that your name?"
"picture?"
"message?"

Body: randomly chosen fom a large list of strings carried with the worm;

Attachment filename: randomly chosen from a large list of strings carried with the worm, such as:
"document"
"associal"
"msg"
"yours"
"doc"
"wife"
"talk"
"message"
"response"
"creditcard"
"description"
"details"
"attachment"
"pic"
"me"
"trash"
"card"
"stuff"
"poster"
"posting"
"portmoney"
"textfile"
"moonlight"
"concert"
"sexy"
"information"
"news"
"note"
"number_phone"
"bill"

Attachment has double extension; the first extension is one of the following:
".txt"
".rtf"
".doc"
".htm"
and the second is one of:
".exe"
".scr"
".com"
".pif"

It spoofs the FROM and MAILFROM fields in e-mail headers (that is, it writes to these fields randomly chosen e-mail addresses from those found in the computer).

- In 26 feb. 2004, between 6:00 and 9:00 am (local time, not GMT) the worm generates in the
computer's speaker sounds with random tones and durations.