Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


W32/Netsky.p@MM

03/22/04 - W32/Netsky.p@MM

A new variant of W32/Netsky@MM has been received which spreads through email like its predecessors.  The main component is 29,568 bytes long, FSG packed.

When run, the worm copies itself to the Windows directory as:

  • FVProtect.exe

It creates the following files in the same directory:

  • userconfig9x.dll (26,624)
  • base64.tmp (UUEncoded worm)
  • zip1.tmp (UUEncoded of worm zip archive)
  • zip2.tmp (UUEncoded of worm zip archive)
  • zip3.tmp (UUEncoded of worm zip archive)
  • zipped.tmp (worm in zip archive)

Where the three zip archives are different in binary.

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Norton Antivirus AV" = %WinDir%\FVProtect.exe

Where %WinDir% is the Windows directory.

Mail Propagation

The worm sends mails using SMTP.  Email sent has the following characteristics:

From: (forged address taken from infected system)
Subject: (Taken from the following list)

  • Stolen document
  • Re:Hello
  • Mail Delivery ( failure sender address )
  • Private document
  • Re:Notify
  • Re:document
  • Re:Extended Mail System
  • Re:Proctected Mail System
  • Re:Question
  • Private document
  • Postcard

Body: (Taken from the following list)

  • I found this document about you.
  • I have attached it to this mail.
  • Waiting for authentification.
  • Please confirm!
  • Protected message is available
  • Do not visit this illegal websites!
  • Here is my phone number.
  • I cannot believe that.
  • Your file is attached.
  • For further details see that attachment.
  • Congratulations!, your best friend.
  • Greetings from france, your friend.
  • If the message will not displayed automatically, follow the link to read the delivered message.
    Received message is available at:
    (forged web link. )

The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems.

Attachment: (one of the following)

  • websites(random number).zip
  • document(random number).zip
  • your_document.zip
  • part(random number).zip
  • message.doc.scr
  • message.zip
  • document.zip
  • old_photos.txt.pif
  • postcard_.(random number)..zip
  • details(random number).zip

Where .zip file is the worm in a zip file.

More info on this worm:
http://vil.nai.com/vil/content/v_101119.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_101119.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

Back to the top