Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Netsky.D@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity LOW LOW
Payload Plays sound
Detection files published
Description created 29 Feb 2004 03:05:00
Description updated 01 Mar 2004 08:47:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Netsky.D@mm

Spreading

When run, the worm avoids being installed twice in memory by creating a mutex called "[SkyNet.cz]SystemsMutex".
It copies itself to the Windows directory using the name WINLOGON.EXE, and creates a run key in registry so that it is started from bootup.
Registry key(s) created by the worm: HKLMSoftwareMicrosoftWindowsCurrentVersion
Run ICQ Net"="[WINDIR]winlogon.exe -stealth
Registry key(s) deleted by the worm: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Taskmon
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Taskmon
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Explorer
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Explorer
HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32
HKLMSoftwareMicrosoftWindowsCurrentVersionRun KasperskyAv
HKCUSoftwareMicrosoftWindowsCurrentVersionRun KasperskyAv
HKLMSoftwareMicrosoftWindowsCurrentVersionRun System.
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices System.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun msgsvr32
HKLMSoftwareMicrosoftWindowsCurrentVersionRun DELETE ME
HKCUSoftwareMicrosoftWindowsCurrentVersionRun d3dupdate.exe
HKCUSoftwareMicrosoftWindowsCurrentVersionRun au.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRun service
HKCUSoftwareMicrosoftWindowsCurrentVersionRun OLE
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Sentry
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerPINF
HKLMSystemCurrentControlSetServicesWksPatch
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Windows Services Host
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Windows Services Host
The worm traverses folders on all drives C: to Z: (if not CD drive), harvesting email addresses from files of types found in word list 1. It then sets up 8 concurrent threads that perform sending of infected emails.
Note: Mails may have fake FROM: addresses. "You have sent a virus" warnings from mail scanners are usually not correct.
Word list 1: Files searched for email addresses: .eml .txt .php .pl .htm .html .vbs .rtf .uin .asp .wab .doc .adb .tbb .dbx .sht .oft .msg .shtm .cgi .dhtm Word list 2: Email addresses containing the following strings are avoided: icrosoft antivi ymantec spam avp f-secur itdefender orman cafee aspersky f-pro orton fbi abuse messagelabs skynet Word list 3: Possible email subjects. Re: Document Re: Re: Document Re: Re: Thanks! Re: Thanks! Re: Your document Re: Here is the document Re: Your picture Re: Re: Message Re: Hi Re: Hello Re: Re: Re: Your document Re: Here Re: Your music Re: Your software Re: Approved Re: Details Re: Excel file Re: Word file Re: My details Re: Your details Re: Your bill Re: Your text Re: Your archive Re: Your letter Re: Your product Re: Your website Word list 4: Possible mail bodies: Your document is attached. Here is the file. See the attached file for details. Please have a look at the attached file. Please read the attached file. Your file is attached. Word list 5: Attachment file names: your_document.pif your_document.pif document.pif message_part2.pif your_document.pif document_full.pif your_picture.pif message_details.pif your_file.pif your_picture.pif document_4351.pif yours.pif mp3music.pif application.pif all_document.pif my_details.pif document_excel.pif document_word.pif my_details.pif your_details.pif your_bill.pif your_text.pif your_archive.pif your_letter.pif your_product.pif your_website.pif

Payload Details

If the system time is between 6am and 9am on the morning of March 2nd 2004, the worm plays beeps of semi-random pitch and duration until the time hits 09.00 or the system time is manually changed.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15