My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Netsky.AB@mm

HIGH
LOW
17408 bytes

Symptoms

The file winlogon.scr in %windir% folder
The presence of the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ SkynetsRevenge with value
%WINDIR%\winlogon.scr

Removal instructions:

Automatic removal: let BitDefender disinfect infected files

Analyzed By

Sorin Victor Dudea BitDefender AntiVirus Researcher

Technical Description:

The worm has the following e-mail format:

Attachment:
Randomly chosen from the following list:
"Your_Document.pif"
"Your_Document.pif"
"Your_Text.pif"
"Your_Document_Part3.pif"
"Your_Details.pif"
"Your_Pics.pif"
"Your_Private_Document.pif"
"Your_Information.pif"
"Your_Document.pif"
"Your_Digicam_Pictures.pif"
"Your_Summary.pif"
"Your_Description.pif"
"Your_Music.pif"
"Your_Software.pif"
"My_Telephone_Numbers.pif"
"Your_List.pif"
"Your_Text_File.pif"
"Your_Paint_File.pif"
"Your_Contacts.pif"
"Your_E-Books.pif"
"Your_Bill.pif"
"Your_Error.pif"
"Your_Excel_Document.pif"
"Your_Letter.pif"
"Your_Product.pif"
"Your_Website.pif"
"Your_Movie.pif"
"Your_Presentation.pif"
"My_Advice.pif"
"My_Fax_Numbers.pif"
"Your_Product_List.pif"
"Osam_Bin_Laden_Articel_42.pif"
"Your_Demo.pif"
"Your_Final_Document.pif"
"Your_Poster.pif"
"Your_Patch.pif"
"Your_Pricelist.pif"
"Your_Job.pif"


Body:

Randomly chosen from the following list:

Your document is attached.
Here is the file.
Please view the attached file.
See the attached file for details.
Please take the attached file.
Please have a look at the attached file.
Please read the attached file.
Your file is attached.
For furher details see the attached file.

Subject:

Randomly chosen from the following list:

"Re: Document"
"Re: Approved"
"Re: Text"
"Re: Thank you!"
"Re: Details"
"Re: Photos"
"Re: Private"
"Re: Information"
"Re: Hi"
"Re: Hello"
"Re: Summary"
"Re: Step by Step"
"Re: Music"
"Re: Application"
"Re: Tel. Numbers"
"Re: List"
"Re: Text file"
"Re: Paint file"
"Re: Contacts"
"Re: e-Books"
"Re: Bill"
"Re: Error"
"Re: Missed"
"Re: Letter"
"Re: Product"
"Re: Website"
"Re: Movie"
"Re: Presentation"
"Re: Advice"
"Re: Fax number"
"Re: Cheaper"
"Re: War"
"Re: Demo"
"Re: Final"
"Re: Poster"
"Re: Patch"
"Re: Pricelist"
"Re: Job"

When the worm is executed it creates the following mutex to assure that there will be only
one instance of itself running:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
Then it copies itself to %WINDIR% folder under the name:
Winlogon.scr
And it adds the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SkynetsRevenge with value
%WINDIR%\winlogon.scr
After this it creates a thread to search for e-mail addresses and 8 threads to send itself to all e-mail addresses it finds.
When first run it displays a message box with the following message:
Error
Out of system memory

The worm searches for e-mail addresses on physical drives from c: to z:.
It will only search for e-mail addresses in files with the following extensions:
.eml .txt .php .cfg .mbx .mdx .asp .wab .doc .vbs .rtf .uin .shtm .cgi .dhtm .adb .tbb
.dbx .pl .htm .html .sht .oft .msg .ods .stm .xls .jsp .wsh .xml .mht .mmf .nch .ppt

In the same time it will send itself to all e-mail addresses it finds skipping all e-mails containing the following strings:
"icrosoft"
"antivi"
"ymantec"
"spam"
"avp"
"f-secur"
"itdefender"
"orman"
"cafee"
"aspersky"
"f-pro"
"orton"
"fbi"
"abuse"
"messagelabs"
"skynet"
"andasoftwa"
"freeav"
"sophos"
"antivir"
"iruslis"