My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Netsky.W@mm

HIGH
LOW
24 KB
(WORM_NETSKY.W)

Symptoms

  • File: VisualGuard.exe in the Windows directory
  • Registry key: HKEY \Software\Microsoft\Windows\CurrentVersion\Run\"NetDy" holding the file name above

Removal instructions:

Let BitDefender delete all files found infected by this worm.

Analyzed By

Mihai NEAGU BitDefender Virus Researcher

Technical Description:

The worm comes by mail in the following form:

From: spoofed

Subject: is composed using the following words:
  • here
  • hi
  • hello
  • thanks!
  • approved
  • corrected
  • patched
  • improved
  • important
  • read it immediately
  • your
  • my
  • approved
  • important
  • document
  • file
  • details
  • information
  • letter
  • product
  • website
  • application
  • screensaver
  • bill
  • word document
  • excel document
  • data
  • message
  • text
  • document_all

Body text: one of the following:
  • Your details.
  • Your document.
  • I have received your document. The corrected document is attached.
  • I have attached your document.
  • Your document is attached to this mail.
  • Authentication required.
  • Requested file.
  • See the file.
  • Please read the important document.
  • Please confirm the document.
  • Your file is attached.
  • Please read the document.
  • Your document is attached.
  • Please read the attached file.
  • Please see the attached file for details.

At the end of the body text, there may be three lines saying that the attachment contains no virus.

Attachment: has an executable extension (.pif, .exe or .scr) or .zip and a name from:
  • document
  • file
  • details
  • information
  • letter
  • product
  • website
  • application
  • screensaver
  • bill
  • word document
  • excel document
  • data
  • message
  • text
  • document_all

Attachment name may be followed by the recipient\'s email user name.

The mail may also contain a GIF picture.

When ran, the worm copies itself in the Windows directory, with the file name:
%WINDIR%\VisualGuard.exe
and creates the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
with the value:
"NetDy" = "%WINDIR%\VisualGuard.exe"

It scans the hard-drives for e-mail addresses inside files with the following extensions:
  • .pl
  • .htm
  • .html
  • .eml
  • .txt
  • .php
  • .asp
  • .wab
  • .doc
  • .vbs
  • .rtf
  • .uin
  • .shtm
  • .cgi
  • .dhtm
  • .adb
  • .tbb
  • .dbx
  • .sht
  • .oft
  • .msg
  • .jsp
  • .wsh
  • .xml

and sends mail using its own SMTP engine.

The worm attempts to remove some variants of the Mydoom, Welchia and Beagle worms.

The following temporary files are used by the worm, they may be deleted:
  • %WINDIR%\base64.tmp -- base64 encoding of the worm file
  • %WINDIR%\zipped.tmp -- zipped worm file
  • %WINDIR%\zip1-6.tmp -- base64 encodings of the zipped worm file