Symptoms

Removal instructions:

Analyzed By

Technical Description:

The worm comes by mail in the following form:

From: [spoofed]

Subject: one of the following:

• Re: Msg reply
  
• Re: Hello
  
• Re: Yahoo!
  
• Re: Thank you!
  
• Re: Thanks :)
  
• RE: Text message
  
• Re: Document
  
• Incoming message
  
• Re: Incoming Message
  
• RE: Incoming Msg
  
• RE: Message Notify
  
• Notification
  
• Changes..
  
• Update
  
• Fax Message
  
• Protected message
  
• RE: Protected message
  
• Forum notify
  
• Site changes
  
• Re: Hi
  
• Encrypted document

Attachment: has a .exe, .scr, .com, .zip, .vbs, .hta or .cpl extension and one of the following names:

• Information
  
• Details
  
• text_document
  
• Updates
  
• Readme
  
• Document
  
• Info
  
• Details
  
• MoreInfo
  
• Message
  
• Sources

Body text: may contain one or more of the following:

• Read the attach.
  
• Your file is attached.
  
• More info is in attach
  
• See attach.
  
• Please, have a look at the attached file.
  
• Your document is attached.
  
• Please, read the document.
  
• Attach tells everything.
  
• Attached file tells everything.
  
• Check attached file for details.
  
• Check attached file.
  
• Pay attention at the attach.
  
• See the attached file for details.
  
• Message is in attach
  
• Here is the file.
  
• For security reasons attached file is password protected. The password is [password]
  
• For security purposes the attached file is password protected. Password -- [password]
  
• Note: Use password [password] to open archive.
  
• Attached file is protected with the password for security reasons. Password is [password]
  
• In order to read the attach you have to use the following password: [password]
  
• Archive password: [password]
  
• Password - [password]
  
• Password: [password]

When ran, the worm displays a fake error message:

Can't find a viewer associated with the file

and creates one of the following mutexes:

• |MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
  
• 'D'r'o'p'p'e'd'S'k'y'N'e't'
  
• _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
  
• [SkyNet.cz]SystemsMutex
  
• AdmSkynetJklS003
  
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

then creates the following files:

• %SYSDIR%\loader_name.exe -- worm executable file
  where %SYSDIR% is Windows System directory (eg. C:\Windows\System, C:\WinNT\System32)
  
•  
• %SYSDIR%\loader_name.exeopen -- worm copy with some garbage appended
  
• %SYSDIR%\loader_name.exeopenopen -- worm zipped (may be password protected)

and creates the registry key:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  with the value:
  "reg_key"="%SYSDIR%\loader_name.exe

The key above is created ten times per second, so deleting it will not help unless the process (loader_name.exe) is killed.

The worm tries to remove the following registry keys:

• HKCU\Software\Microsoft\Windows\My AV
  
• HKCU\Software\Microsoft\Windows\Zone Labs Client Ex
  
• HKCU\Software\Microsoft\Windows\9XHtProtect
  
• HKCU\Software\Microsoft\Windows\Antivirus
  
• HKCU\Software\Microsoft\Windows\Special Firewall Service
  
• HKCU\Software\Microsoft\Windows\service
  
• HKCU\Software\Microsoft\Windows\Tiny AV
  
• HKCU\Software\Microsoft\Windows\ICQNet
  
• HKCU\Software\Microsoft\Windows\HtProtect
  
• HKCU\Software\Microsoft\Windows\NetDy
  
• HKCU\Software\Microsoft\Windows\Jammer2nd
  
• HKCU\Software\Microsoft\Windows\FirewallSvr
  
• HKCU\Software\Microsoft\Windows\MsInfo
  
• HKCU\Software\Microsoft\Windows\SysMonXP
  
• HKCU\Software\Microsoft\Windows\EasyAV
  
• HKCU\Software\Microsoft\Windows\PandaAVEngine
  
• HKCU\Software\Microsoft\Windows\Norton Antivirus AV
  
• HKCU\Software\Microsoft\Windows\KasperskyAVEng
  
• HKCU\Software\Microsoft\Windows\SkynetsRevenge
  
• HKCU\Software\Microsoft\Windows\ICQ Net

To mail itself, the worm searches the local hard-disk for e-mail addresses inside files with the following extensions:

.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .wsh, .adb, .tbb, .sht, .xls, .oft, .uin, .cgi, .mht, .dhtm, .jsp

and uses its own SMTP engine to resolve the target mail server and to send mail to it, skipping e-mail addresses that contain:

@hotmail, @msn, @microsoft, rating@, f-secur, news, update, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, linux, listserv, certific, sopho, @foo, @iana, free-av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, @avp., noreply, local, root@, postmaster@.

Also the worm copies itself to directories that have shar in their names (for instance the P2P shared folders) with one of the following names:

• Microsoft Office 2003 Crack, Working!.exe
  
• Microsoft Windows XP, WinXP Crack, working Keygen.exe
  
• Microsoft Office XP working Crack, Keygen.exe
  
• Porno, sex, oral, anal cool, awesome!!.exe
  
• Porno Screensaver.scr
  
• Serials.txt.exe
  
• KAV 5.0
  
• Kaspersky Antivirus 5.0
  
• Porno pics arhive, xxx.exe
  
• Windows Sourcecode update.doc.exe
  
• Ahead Nero 7.exe
  
• Windown Longhorn Beta Leak.exe
  
• Opera 8 New!.exe
  
• XXX hardcore images.exe
  
• WinAmp 6 New!.exe
  
• WinAmp 5 Pro Keygen Crack Update.exe
  
• Adobe Photoshop 9 full.exe
  
• Matrix 3 Revolution English Subtitles.exe
  
• ACDSee 9.exe

The worm also runs as backdoor on port 1234.