W32/Netsky.d@MM

W32/Netsky.d@MM

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: N/A
  • Protection Added: 2004-03-01

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5400.1158

File Length

17,424 bytes (Petite packed)

Description Added

2004-03-01

Description Modified

2004-03-01

Malware Proliferation

-- Update 10:13 PST May 21st 2004 --

A repackaged version of this variant has been received which is detected and repaired as W32/Nestky.d@MM with the current 4362 DATS.  It is 40,448 bytes in size.  It also drops the very same keylogger component as W32/Bugbear.b@MM which is also detected by the current DATS as W32/Bugbear.b.dll

-- Update 06:10 PST March 1st 2004 --
Due to an increase in prevalence, this threat has had its risk assessment raised to MEDIUM.

Please note : proactive detection (as W32/Netsky.c@MM ) has been provided since the 4328 DATs with the scanning of compressed files enabled.
--

A new variant of W32/Netsky@MM has been received which is detected and repaired as W32/Netsky.c@MM with the 4328 DATs and higher (with scanning of compressed files enabled).

This virus spreads via email. It sends itself to addresses found on the victim's machine.  The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system)
Subject: Taken from the following list:

  • Re: Hello
  • Re: Hi
  • Re: Thanks!
  • Re: Document
  • Re: Message
  • Re: Here
  • Re: Details
  • Re: Your details
  • Re: Approved
  • Re: Your document
  • Re: Your text
  • Re: Excel file
  • Re: Word file
  • Re: My details
  • Re: Your music
  • Re: Your bill
  • Re: Your letter
  • Re: Document
  • Re: Your website
  • Re: Your product
  • Re: Your document
  • Re: Your software
  • Re: Your archive
  • Re: Your picture
  • Re: Here is the document
Body: Taken from the following list:
  • Here is the file.
  • Your file is attached.
  • Your document is attached.
  • Please read the attached file.
  • Please have a look at the attached file.
  • See the attached file for details.
Attachment: filename taken from strings within worm, with a .PIF extension:
  • yours.pif
  • your_text.pif
  • your_bill.pif
  • mp3music.pif
  • document.pif
  • my_details.pif
  • your_file.pif
  • your_website.pif
  • your_product.pif
  • your_letter.pif
  • your_archive.pif
  • your_details.pif
  • document_word.pif
  • all_document.pif
  • application.pif
  • your_picture.pif
  • document_excel.pif
  • document_4351.pif
  • document_full.pif
  • message_part2.pif
  • your_document.pif
  • message_details.pif

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

  • .adb
  • .asp
  • .cgi
  • .dbx
  • .dhtm
  • .doc
  • .eml
  • .htm
  • .oft
  • .php
  • .pl
  • .rtf
  • .sht
  • .shtm
  • .msg
  • .tbb
  • .txt
  • .uin
  • .vbs
  • .wab

It does not send itself to addresses that contain one of the following strings:

  • abuse
  • fbi
  • orton
  • f-pro
  • aspersky
  • cafee
  • orman
  • itdefender
  • f-secur
  • avp
  • skynet
  • spam
  • messagelabs
  • ymantec
  • antivi
  • icrosoft

The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

System changes
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename WINLOGON.EXE.

  • C:\WINNT\WINLOGON.EXE (17,424 bytes)

Note: A valid file exists in the Windows System directory.

A Registry key is created to load the worm at system start.

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
    "ICQ Net" = %WinDir%\WINLOGON.EXE -stealth

Virus removal
The virus removes various Registry values.  Some of these are associated with other viruses, trojans, and applications.

The following registry key values are deleted:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "au.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "d3dupdate.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Explorer"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "KasperskyAv"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "OLE"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Taskmon"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "DELETE ME"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Explorer"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "KasperskyAv"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "msgsvr32"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Sentry"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "service"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "system."
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Taskmon"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunServices "system."
  • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

All Users :
Use specified
engine and DAT files (or later) for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Delete the file WINLOGON.EXE  from your WINDOWS directory (typically c:\windows or c:\winnt)
    NOTE: Do not delete the file WINLOGON.EXE from the WINDOWS SYSTEM directory as that is a valid Windows system file.
  3. Edit the registry
    • Delete the "ICQ Net" value from
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Run
      • HKEY_CURRENT_USERS\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Run
  4. Reboot the system into Default Mode

Sniffer Technologies
Sniffer Filters have been developed to filter DNS traffic sent by Netsky.d.   Sniffer Filters are available for Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst network analyzer. The filters for Netsky.c apply for Netsky.d as well.

W32_Netsky.c@mm Sniffer Filters.zip

McAfee Threatscan

ThreatScan signatures that can detect the W32/Netsky.d@MM virus are available from:

ThreatScan Signature version:  2004-03-01
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

  • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

-or-

  • Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:
Run the "ThreatScan Template Report"
Look for module number #4066

This worm spreads by email, constructing messages using its own SMTP engine. 

  • Existence of files and registry keys as mentioned above
  • Unexpected network traffic
  • Audio payload - similarly to the C variant, upon a specific time/date condition, the worm makes random beeping sounds with varying pitches and rhythm  
  • Outgoing DNS queries to one of the following hard-coded IP addresses:
    • 145.253.2.171
    • 151.189.13.35
    • 193.141.40.42
    • 193.189.244.205
    • 193.193.144.12
    • 193.193.158.10
    • 194.25.2.129
    • 194.25.2.130
    • 194.25.2.131
    • 194.25.2.132
    • 194.25.2.133
    • 194.25.2.134
    • 195.185.185.195
    • 195.20.224.234
    • 212.185.252.136
    • 212.185.252.73
    • 212.185.253.70
    • 212.44.160.8
    • 212.7.128.162
    • 212.7.128.165
    • 213.191.74.19
    • 217.5.97.137
    • 62.155.255.16