La mia libreria
La mia libreria

+ Aggiungi alla libreria

Supporto
Supporto 24/7 | Regole per contattare

Richieste

Profile

Win32.HLLM.Netsky.18348

(W32/Netsky.s@MM, Parser error, Worm/Netsky.#1, Email-Worm.Win32.NetSky.t, Possible_Mlwr-13)

Aggiunto al database dei virus Dr.Web: 2004-04-18

La descrizione è stata aggiunta:

Description

Win32.HLLM.Netsky.18348 [Netsky.W] is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The size of the program module of the worm (UPX-packed) is 24, 064 bytes.
the worm disseminates via e-mail using its own SMTP engine. It deletes keys and values created in the system registry by other malwares.

Launching

To secure its automatic execution at every Windows startup the worm adds the value
\"NetDy\"=\"%WinDir%\\VisualGuard.exe\"
to the registry entry
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

Spreading

The worm harvests e-mail addresses from files with the following extensions:

 
   .adb
   .asp
   .cgi
   .dbx
   .dhtm
   .doc
   .eml
   .htm
   .html
   .jsp
   .msg
   .oft
   .php
   .pl
   .rtf
   .sht
   .shtm
   .tbb
   .txt
   .uin
   .vbs
   .wab
   .wsh
   .xml
            
The mail message infected with the worm may look as follows.

The subject is composed of several parts.

Part 1:

     
   Re: 
   Re: Re:    
                
Part 2
   my
   your
   read it immediately 
   important 
   improved 
   patched 
   corrected 
   approved 
   thanks! 
   hello 
   hi 
   here 
   document_all 
   text 
   message 
   data 
   excel document 
   word document 
   bill 
   screensaver 
   application 
   website 
   product 
   letter 
   information 
   details 
   file 
   document 
   important 
   approved 
                
The Message body can be one of the following:
   Your details.
   Your document.
   I have received your document. The corrected document is attached.
   I have attached your document.
   Your document is attached to this mail.
   Authentication required.
   Requested file.
   See the file.
   Please read the important document.
   Please confirm the document.
   Your file is attached.
   Please read the document.
   Your document is attached.
   Please read the attached file.
   Please see the attached file for details.
            
the text ends with a so-called signature:
   
   --------------------------------------------
   [attachment]: No virus found
   Powered by the new Norton OnlineScan
   Get protected: www.symantec.com
   
   
       
followed by Symantec’s logo.

Attachment:

   
   document_all_%s 
   text_%s 
   message_%s 
   data_%s 
   excel document_%s 
   word document_%s 
   bill_%s 
   screensaver_%s 
   application_%s 
   website_%s 
   product_%s 
   letter_%s 
   information_%s 
   details_%s 
   file_%s 
   document_%s 
           
where %s is a part of the recipient’s e-mail address before @. The extensions of the attachment can be .zip, .scr, .exe or .pif.

Action

Being executed, the worm creates a mutex “NetDy_Mutex_Psycho” . It drops to the Windows folder (in Windows 9x/ME/XP it’s C:\\Windows, in Windows NT/2000 it’s C:\\WINNT ) its copy named VisualGuard.exe. In the same folder the worm creates several more files:

  • base64.tmp – worm’s base64 copy sent via e-mail
  • zip1.tmp, zip2.tmp, zip3.tmp, zip4.tmp, zip5.tmp, zip6.tmp –base64 archived copies of the worm
  • zipped.tmp – worm’s temporary WinZip copy
The worm makes the following changes in the system registry:
  • It deletes the values
    Explorer
    System.
    msgsvr32
    Service
    DELETE ME
    Sentry
    Taskmon
    Windows Services Host

    from the registry entry
    HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\
  • It delete values
    Explorer
    au.exe
    d3dupdate.exe
    OLE
    gouday.exe
    rate.exe
    Windows Services Host
    Taskmon
    sysmon.exe
    srate.exe
    ssate.exe
    from the registry entry
    HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\
  • It deletes the value System.
    from the registry entry
    HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices\\
  • It deletes the following keys:
    HKCR\\CLSID\\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\\InProcServer32
    HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PINF
    HKLM\\System\\CurrentControlSet\\Services\\WksPatch