McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Netsky.x@MM

This page shows details and results of our analysis on the malware W32/Netsky.x@MM

Threat Detail

Malware Type: Virus

Malware Sub-type: N/A

Discovery Date: 2004-04-20

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4348 (2004-04-06)

Updated DAT

4994 (2007-03-28)

 Minimum Engine

5.1.00

File Length

26,112 Bytes

 Description Added

2004-04-20

Description Modified

2004-04-20

Malware Proliferation

Characteristics

This worm is detected with current DATs as W32/Netsky.gen@MM with scanning compressed files enabled. Specific detection will be added to the 4352 DATs.  

It bears the following characteristics:

  • constructs messages using its own SMTP engine
  • harvests email addresses from the victim machine
  • spoofs the From: address of messages
  • delivers a DoS attack on certain web sites.

Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

  • .adb
  • .asp
  • .cfg
  • .cgi
  • .dbx
  • .dhtm
  • .doc
  • .eml
  • .htm
  • .html
  • .jsp
  • .mbx
  • .mdx
  • .mht
  • .mmf
  • .msg
  • .nch
  • .ods
  • .oft
  • .php
  • .pl
  • .ppt
  • .rtf
  • .sht
  • .shtm
  • .stm
  • .tbb
  • .txt
  • .uin
  • .vbs
  • .wsh
  • .wab
  • .xls
  • .xml

Subject : (Taken from the following list ):

  • Re: document
  • Re: belge
  • Re: dokumenten
  • Re: dokumentoida
  • Re: udokumentowac
  • Re: dokumentet
  • Re: original
  • Re: documento
  • Re: dokument

Body: (Taken from the following list) :

  • Please read the document
  • Bitte lesen Sie das Dokument.
  • Veuillez lire le document.
  • Legga prego il documento.
  • Leia por favor o original.
  • Behage lese dokumentet.
  • Podobac sie przeczytac ten udokumentowac.
  • Haluta kuulua dokumentoida.
  • mutlu etmek okumak belgili tanimlik belge.

System Changes

The worm installs itself on the victim machine as FirewallSvr.exe in the Windows directory:

  • %WinDir%\FirewallSvr.exe

The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "FirewallSvr" = %WinDir%\FirewallSvr.exe

A base64 encoded version of the worm is also dropped into the %Windir% folder.

For Example:  C:\Winnt\f**k_you_bagle.txt

Denial of Service

If the local system date is between April 28th and April 30th , it targets the following remote servers in a denial of service attack:

  • www.educa.ch
  • www.nedinfo.ufl.edu
  • www.nibis.de

Symptoms

  • Existence of files and registry keys as mentioned above
  • Unexpected network traffic
  • Outgoing DNS queries to one of the following hard-coded IP addresses

    • 212.44.160.8
    • 195.185.185.195
    • 151.189.13.35
    • 213.191.74.19
    • 193.189.244.205
    • 145.253.2.171
    • 193.141.40.42
    • 194.25.2.134
    • 194.25.2.133
    • 194.25.2.132
    • 194.25.2.131
    • 193.193.158.10
    • 212.7.128.165
    • 212.7.128.162
    • 193.193.144.12
    • 217.5.97.137
    • 195.20.224.234
    • 194.25.2.130
    • 194.25.2.129
    • 212.185.252.136
    • 212.185.253.70
    • 212.185.252.73

    • Method of Infection

    This worm spreads by email, constructing messages using its own SMTP engine

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Additional Windows ME/XP removal considerations

    Variants

    United States - English