Description
Win32.HLLM.Netsky.18348 [Netsky.W] is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The size of the program module of the worm (UPX-packed) is 24, 064 bytes.
the worm disseminates via e-mail using its own SMTP engine. It deletes keys and values created in the system registry by other malwares.
Launching
To secure its automatic execution at every Windows startup the worm adds the value
\"NetDy\"=\"%WinDir%\\VisualGuard.exe\"
to the registry entry
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
Spreading
The worm harvests e-mail addresses from files with the following extensions:
.adb .asp .cgi .dbx .dhtm .doc .eml .htm .html .jsp .msg .oft .php .pl .rtf .sht .shtm .tbb .txt .uin .vbs .wab .wsh .xmlThe mail message infected with the worm may look as follows.
The subject is composed of several parts.
Part 1:
Re: Re: Re:Part 2
my your read it immediately important improved patched corrected approved thanks! hello hi here document_all text message data excel document word document bill screensaver application website product letter information details file document important approvedThe Message body can be one of the following:
Your details. Your document. I have received your document. The corrected document is attached. I have attached your document. Your document is attached to this mail. Authentication required. Requested file. See the file. Please read the important document. Please confirm the document. Your file is attached. Please read the document. Your document is attached. Please read the attached file. Please see the attached file for details.the text ends with a so-called signature:
-------------------------------------------- [attachment]: No virus found Powered by the new Norton OnlineScan Get protected: www.symantec.comfollowed by Symantec’s logo.
Attachment:
document_all_%s text_%s message_%s data_%s excel document_%s word document_%s bill_%s screensaver_%s application_%s website_%s product_%s letter_%s information_%s details_%s file_%s document_%swhere %s is a part of the recipient’s e-mail address before @. The extensions of the attachment can be .zip, .scr, .exe or .pif.
Action
Being executed, the worm creates a mutex “NetDy_Mutex_Psycho” . It drops to the Windows folder (in Windows 9x/ME/XP it’s C:\\Windows, in Windows NT/2000 it’s C:\\WINNT ) its copy named VisualGuard.exe. In the same folder the worm creates several more files:
- base64.tmp – worm’s base64 copy sent via e-mail
- zip1.tmp, zip2.tmp, zip3.tmp, zip4.tmp, zip5.tmp, zip6.tmp –base64 archived copies of the worm
- zipped.tmp – worm’s temporary WinZip copy
-
It deletes the values
Explorer
System.
msgsvr32
Service
DELETE ME
Sentry
Taskmon
Windows Services Host
from the registry entry
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ - It delete values
Explorer
au.exe
d3dupdate.exe
OLE
gouday.exe
rate.exe
Windows Services Host
Taskmon
sysmon.exe
srate.exe
ssate.exe from the registry entry
HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ -
It deletes the value
System.
from the registry entry
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices\\ - It deletes the following keys:
HKCR\\CLSID\\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\\InProcServer32
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PINF
HKLM\\System\\CurrentControlSet\\Services\\WksPatch