My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Netsky.P@mm

HIGH
LOW
29 KB
(I-Worm.Netsky.q, WORM_NETSKY.P, Win32.HLLM.Netsky.35328)

Symptoms

Presence of following files: FVPROTECT.EXE and USERCONFIG9X.DLL in Windows folder.

Presence of following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
holding the value:
Norton Antivirus AV = %WINDIR%\FVPROTECT.EXE

Removal instructions:

Let BitDefender delete infected files.

Analyzed By

Mihai Neagu BitDefender Virus Researcher

Technical Description:

The worm spreads by e-mail, with a header like:

From: (fake e-mail address)

Subject: one of the following:

* Re: Encrypted Mail
* Re: Extended Mail
* Re: Status
* Re: Notify
* Re: SMTP Server
* Re: Mail Server
* Re: Delivery Server
* Re: Bad Request
* Re: Failure
* Re: Thank you for delivery
* Re: Test
* Re: Administration
* Re: Message Error
* Re: Error
* Re: Extended Mail System
* Re: Secure SMTP Message
* Re: Protected Mail Request
* Re: Protected Mail System
* Re: Protected Mail Delivery
* Re: Secure delivery
* Re: Delivery Protection
* Re: Mail Authentification



Message body can be one of the following:

* Please confirm my request.
* ESMTP [Secure Mail System #334]: Secure message is attached.
* Partial message is available.
* Waiting for a Response. Please read the attachment.
* First part of the secure mail is available.
* For more details see the attachment.
* For further details see the attachment.
* Your requested mail has been attached.
* Protected Mail System Test.
* Secure Mail System Beta Test.
* Forwarded message is available.
* Delivered message is attached.
* Encrypted message is available.
* Please read the attachment to get the message.
* Follow the instructions to read the message.
* Please authenticate the secure message.
* Protected message is attached.
* Waiting for authentification.
* Protected message is available.
* Bad Gateway: The message has been attached.
* SMTP: Please confirm the attached message.
* You got a new message.
* Now a new message is available.
* New message is available.
* You have received an extended message. Please read the instructions.
* Your details.
* Your document.
* I have received your document. The corrected document is attached.
* I have attached your document.
* Your document is attached to this mail.
* Authentication required.
* Requested file.
* See the file.
* Please read the important document.
* Please confirm the document.
* Your file is attached.
* Please read the document.
* Your document is attached.
* Please read the attached file!
* Please see the attached file for details.



The message body may contain a notice that it was scanned by an AV program and that no virus was found.

Attachment: a file containing some of the following:

* file
* your_document
* about_you
* document04
* msg
* all_doc01
* document
* approved
* improved
* corrected



The attachment may have a double extension: a document extension (.doc, .txt) followed by several blanks and then by an executable extension (.pif, .exe, .scr).
Also, the attachment may be a zip file containing a packed file with a double extension.

The worm may also spread via P2P clients, under one of the following names:

* The Sims 4 beta.exe
* Lightwave 9 Update.exe
* Ulead Keygen 2004.exe
* Smashing the stack full.rtf.exe
* Internet Explorer 9 setup.exe
* Opera 11.exe
* DivX 8.0 final.exe
* WinAmp 13 full.exe
* Cracks & Warez Archiv.exe
* Visual Studio Net Crack all.exe
* ACDSee 10.exe
* MS Service Pack 6.exe
* Clone DVD 6.exe
* Magix Video Deluxe 5 beta.exe
* Star Office 9.exe
* Partitionsmagic 10 beta.exe
* Gimp 1.8 Full with Key.exe
* Norton Antivirus 2005 beta.exe
* Windows 2000 Sourcecode.doc.exe
* Keygen 4 all new.exe
* 3D Studio Max 6 3dsmax.exe
* 1001 Sex and more.rtf.exe
* RFC compilation.doc.exe
* Dictionary English 2004 - France.doc.exe
* Win Longhorn re.exe
* WinXP eBook newest.doc.exe
* Learn Programming 2004.doc.exe
* How to hack new.doc.exe
* Doom 3 release 2.exe
* E-Book Archive2.rtf.exe
* netsky source code.scr
* Ahead Nero 8.exe
* Full album all.mp3.pif
* Screensaver2.scr
* Serials edition.txt.exe
* Microsoft Office 2003 Crack best.exe
* XXX hardcore pics.jpg.exe
* Dark Angels new.pif
* Porno Screensaver britney.scr
* Best Matrix Screensaver new.scr
* Adobe Photoshop 10 full.exe
* Adobe Premiere 10.exe
* Teen Porn 15.jpg.pif
* Microsoft WinXP Crack full.exe
* Adobe Photoshop 10 crack.exe
* Windows XP crack.exe
* Windows 2003 crack.exe
* Arnold Schwarzenegger.jpg.exe
* Saddam Hussein.jpg.exe
* Cloning.doc.exe
* American Idol.doc.exe
* Eminem Poster.jpg.exe
* Altkins Diet.doc.exe
* Eminem blowjob.jpg.exe
* Ringtones.doc.exe
* Eminem sex xxx.jpg.exe
* Ringtones.mp3.exe
* Eminem Spears porn.jpg.exe
* Eminem full album.mp3.exe
* Eminem Sexy archive.doc.exe
* Eminem Song text archive.doc.exe
* Britney Spears.mp3.exe
* Eminem.mp3.exe
* Britney Spears full album.mp3.exe
* Britney Spears Song text archive.doc.exe
* Matrix.mpg.exe
* Britney Spears and Eminem porn.jpg.exe
* Harry Potter 5.mpg.exe
* Britney Spears.jpg.exe
* Harry Potter game.exe
* Britney Spears fuck.jpg.exe
* Harry Potter.doc.exe
* Britney Spears cumshot.jpg.exe
* Harry Potter e book.doc.exe
* Britney Spears blowjob.jpg.exe
* Harry Potter 1-6 book.txt.exe
* Britney sex xxx.jpg.exe
* Harry Potter all e.book.doc.exe
* Britney Spears porn.jpg.exe
* Kazaa new.exe
* Britney Spears Sexy archive.doc.exe
* Kazaa Lite 4.0 new.exe



When executed, the worm creates some files in the system directory:

FVPROTECT.EXE – copy of worm body
USERCONFIG9X.DLL – worm dll
BASE64.TMP – base64 encoded worm executable
ZIPPED.TMP – ziped worm executable
ZIP1,2,3.TMP – zipped base64 encoded worm executable


On the 24th of March 2004, the worm will send itself to addresses harvested from the infected system, using its own SMTP engine. The following types of files are scanned for addresses:

* .xml
* .wsh
* .jsp
* .msg
* .oft
* .sht
* .dbx
* .tbb
* .adb
* .dhtm
* .cgi
* .shtm
* .uin
* .rtf
* .vbs
* .doc
* .wab
* .asp
* .php
* .txt
* .eml
* .html
* .htm



The worm will not send itself to addresses that include one of the following strings:

* reports@
* spam@
* noreply@
* @viruslis
* ntivir
* @sophos
* @freeav
* @pandasof
* @skynet
* @messagel
* abuse@
* @fbi
* @norton
* @f-pro
* @kaspersky
* @mcafee
* @norman
* @bitdefender
* @f-secur
* @avp
* @spam
* @symantec
* @antivi
* @microsof



The worm will attempt to erase registry keys used by Bagle, Welchia and Mydoom viruses.