Virus

W32/Netsky.C@mm

Analysis


Specifics
Virus is 32 bit with a packed file size of 25,352 bytes, and is a minor variant of W32/Netsky.A-mm. There may be another strain of the same variant packed with a file size of 28,160 bytes however it is the same code only packed with a different packing utility. The 28,160 byte sample is identified using v4.229 definitions.
The virus contains code to send itself by email, and to write itself to folders which may be shared or related to P2P file sharing applications - the virus will also write itself to all subdirectories in the shared folders


Load At Windows Startup
If the virus is run, it will write itself to the system and modify the registry to auto run the virus at next Windows startup using the parameter "-stealth" -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"ICQ Net" = "C:\WINNT\winlogon.exe -stealth"

Email Spreading
The virus contains code to send itself as an attachment to an email, to email addresses found on the target computer. The virus will scan the hard drive for email addresses; for each address found, the virus will attempt to use the mail exchange server related to the domain of the email address found; for instance, of the email address is "xyz" at company.com, the virus will run a DNS query for the MX record for "xyz.company.com", then try to send itself as an email attachment

The subject lines and body text are chosen at random from a table of possible choices -

*lol*
;-)
<...>
<?}
<<<Failure>>>
<09580985869gj>
<Antispam complete>
<Attached Msg>
<Attachment from Poland>
<Attachment Signature 34933920>
<Automailer>
<bad gateway>
<Click the attachment to decrypt>
<Deliver Error>
<Failed message available>
<Mail failed>
<Message Error>
<null>
<scanned by norton antivirus>
<Server Error>
<Transfer complete>
<Warning from the Government>
a crazy doc about you
abuse?
account?
already?
another pic, have fun! ... :->
Antispam is turned off. See file!
are you a photographer?
are you a teacherin the picture?
are you cranky?
are you the naked one?
are you the naked person!
are you the one?
attachi#
Authentification required. Read the attachment!
be mad?
believe me
best?
bob the builder
child or adult?
child porn?
classroom test of you?
copyright?
correct it!
dear
Delivery Failed
denied!
did you ask me for that?
did you know from this document?
did you know that?
did you see her already?
did you sent it to me?
do not give up!
do not open the attachment!
do not show this anyone!
do not use my document!
do not use this creditcard!
do not visit the pages on the list I sent!
do you have an orgasm in the picture?
do you have sex in the picture?
do you have the bug also?
do you have?
do you know the thief?
do you know this????
do you think so?
doc about me?
doc?
docs?
does it belong to you?
does it match?
does it matter?
drugs? ...
error
excellent!
exception
excuse me
explain!
fake?
fast food...
feel free to use it.
File is bad.
File is damaged.
File is self-decryting.
forgotten?
from the chatter (my photo!)
from your lover ;-)
gonna?
good morning
good work!
great job!
great xxx!
great!
greetings
hello
help attached
her.
Here is it
here is it.
here is my advice.
here is my photo!
here is the $undefinedundefined454$
here is the <censored>
here is the document.
here is the next one!
here is yours!
here, the cheats
here, the introduction
here, the serials
hey
hi
how?
i am desperate
i am speachless about your document!
I don't know your document!
i don't think so.
i don't want your xxx pics!
i found that about you!
i found this document about you.
i have received this.
I have your password!
i hope thats not true!
i know your document!
i like your doc!
i lost that
i need you!
i saw you last week!
I 've found your bill!
I wait for an answer!
i wait for your comment about it.
i want more...
illegal st. of you?
illegal...
I'm back!
important
important?
in your mind?
incest?
info
information about you?
Instant patches.
instruct me about this!
is that criminal?
is that possible?
is that the reality?
is that true?
is that your account?
is that your attachment?
is that your beast?
is that your car?
is that your cd?
is that your creditcard?
is that your domain?
is that your family?
is that your finger?
is that your message?
is that your name?
is that your photo?
is that your porn pic?
is that your privacy?
is that your slip?
is that your TAN?
is that your website?
is that your wife?
is that your work?
is that yours?
is the pic a fake?
is this information about you?
it's a secret!
its me
its private from me
it's so similar as yours!
i've found it about you
kill him on the picture!
kill the writer of this document!
last chance!
let it!
lets talk about it!
Login required! Read the attachment!
lol
love letter?
man or women?
meaning of that?
message?
Microsoft
misc. and so on. see you!
modifications?
moin
money?
msg
my advice....
never!
new patch is available!
notice!
notification
oh
ok...
old photos about you?
only encrypted!
pages?
personal message!
picture?
poor quality!
possible?
pretty pic about you?
private?
pwd?
Question
question
re:
Re: <5664ddff?$??º2>
Re: does it?
Re: excuse me
Re: hello
Re: hey
Re: hi
Re: important
Re: information
Re: Re: Re: Re:
Re: unknown
read it immediatelly
read it immediately!
read the details.
really?
reply
report
schoolfriend?
see this!
see your name!
solve the problem!
something about you!
something for you
something is going ...
something is going wrong!
something is not ok
Status
stolen
stuff about you?
such as yours?
take it
take it easy!
tell me more about your document!
test it
that is interesting...
that's a funny text.
that's not the truth?
thats wrong!
the information is wrong!
the truth?
this file is bad!
this is an attachment message!
this is nothing for kids!
time to fear?
Transaction failed. Show the doc!
trial?
trust me
try this patch!
warning
what do you think about it?
what means that?
what still?
what?
what's up?
who?
why should I?
why?
wrong calculation! (see the attachment!)
xxx ?
xxx about you?
xxx service
Yep
yes.
you are a bad writer
you are bad
You are infected. Read the details!
you are naked in this document!
you are sexy in this doc!
you cannot hide yourself! (see photo)
you earn money, see the attachment!
you feel the same.
you have a sexy body in the pic!
you have done a mistake in the document!
you have tried to steal!
you look like an ape!
you look like an rat?
you won the rk!
you?
your account is expired!
your are naked?
your attachment? verify it.
Your bill.
your body?
your design is not good!
your document is not good
your document is silly!
your eyes?
your face?
your hero in the picture?
your icq number?
your job? (I found that!)
your lie is going around the world!
your name is wrong!
your personal record?
your photo is poor
Your provider will be disabled!
your TAN number?
yours?
The "From" field is forged, and the file attachment will be a Base64 encoding of the virus, and could have one of these file names with an extension of .com, .exe, .pif, .scr, or .zip, or a double extension such as .HTM.PIF

454543403
aboutyou
associal
attach2
attachment
auction
bill
birth
card
class_photos
concert
creditcard
death
description
details
dinner
disco
doc
doc_ang
document
final
found
freaky
friend
id
image
incest
information
injection
intimate stuff
jokes
letter
location
mail2
mails
masturbation
material
me
message
misc
moonlight
more
msg2
music
myaunt
mydate
naked1
naked2
news
nomoney
note
nothing
number_phone
object
old_photos
part2
party
paypal
pic
portmoney
poster
posting
privacy
product
ps
ranking
regards
regid
release
response
schock
secrets
sexual
sexy
shower
story
stuff
swimmingpool
talk
tear
textfile
topseller
transfer
trash
undefinied
unfolds
update
violence
visa
warez
webcam
website
wife
word_doc
worker
your_stuff
yours


Mydoom Virus Removal
The virus will search for registry keys associated with the W32/Mydoom virus and delete them if found. The virus will also attempt to terminate tasks associated with the Mydoom virus.


"Shared" Folder Propogation
The virus may write itself to the system in shared folders, and folders related to P2P file sharing applications such as Kazaa - the virus will write itself also to each subdirectory in the initial shared folder; the virus will write itself as each of these files names -

1000 Sex and more.rtf.exe
3D Studio Max 3dsmax.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Adobe Premiere 9.exe
Ahead Nero 7.exe
Best Matrix Screensaver.scr
Clone DVD 5.exe
Cracks & Warez Archive.exe
Dark Angels.pif
Dictionary English - France.doc.exe
DivX 7.0 final.exe
Doom 3 Beta.exe
E-Book Archive.rtf.exe
Full album.mp3.pif
Gimp 1.5 Full with Key.exe
How to hack.doc.exe
IE58.1 full setup.exe
Keygen 4 all appz.exe
Learn Programming.doc.exe
Lightwave SE Update.exe
Magix Video Deluxe 4.exe
Microsoft Office 2003 Crack.exe
Microsoft WinXP Crack.exe
MS Service Pack 5.exe
Norton Antivirus 2004.exe
Opera.exe
Partitionsmagic 9.0.exe
Porno Screensaver.scr
RFC Basics Full Edition.doc.exe
Screensaver.scr
Serials.txt.exe
Smashing the stack.rtf.exe
Star Office 8.exe
Teen Porn 16.jpg.pif
The Sims 3 crack.exe
Ulead Keygen.exe
Virii Sourcecode.scr
Visual Studio Net Crack.exe
Win Longhorn Beta.exe
WinAmp 12 full.exe
Windows Sourcecode.doc.exe
WinXP eBook.doc.exe
XXX hardcore pic.jpg.exe


Miscellaneous
The virus contains this string in its unpacked body -

<-<- we are the skynet - you can't hide yourself! - we kill malware writers (they have no chance!) - [LaMeRz-->]MyDoom.F is a thief of our idea! --< SkyNet AV vs. Malware >- ->->


Recommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option