Virus

W32/Netsky.D@mm

Analysis


Specifics
Virus is 32 bit with a packed file size of 17,424 bytes, and is a minor variant of W32/Netsky.A-mm. The virus contains code to send itself by email and remove references to W32/Mydoom infections


Load At Windows Startup
If the virus is run, it will write itself to the system and modify the registry to auto run the virus at next Windows startup using the parameter "-stealth" -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"ICQ Net" = "C:\WINNT\winlogon.exe -stealth"


Email Spreading
The virus contains code to send itself as an attachment to an email, to email addresses found on the target computer. The virus will scan the hard drive for email addresses; for each address found, the virus will attempt to use the mail exchange server related to the domain of the email address found; for instance, of the email address is "xyz" at company.com, the virus will run a DNS query for the MX record for "xyz.company.com", then try to send itself as an email attachment

When the virus is searching for email addresses, it avoids any email addresses that may contain the following strings -

abuse
antivi
aspersky
avp
cafee
fbi
f-pro
f-secur
icrosoft
itdefender
messagelabs
orman
orton
skynet
spam
ymantec

The subject lines are chosen at random from a table of possible choices -

Here is the file.
Please have a look at the attached file.
Please read the attached file.
See the attached file for details.
Your document is attached.
Your file is attached.

The body text are chosen from a list of possible choices -

Re: Approved
Re: Details
Re: Document
Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website
The "From" field is forged, and the file attachment will be one of these hard-coded file names -

all_document.pif
application.pif
document.pif
document_4351.pif
document_excel.pif
document_full.pif
document_word.pif
message_details.pif
message_part2.pif
mp3music.pif
my_details.pif
your_archive.pif
your_bill.pif
your_details.pif
your_document.pif
your_file.pif
your_letter.pif
your_picture.pif
your_product.pif
your_text.pif
your_website.pif
yours.pif


Mydoom Virus Removal
The virus will search for registry keys associated with the W32/Mydoom virus and delete them if found. The virus will also attempt to terminate tasks associated with the Mydoom virus.


Miscellaneous
The virus contains this string in its unpacked body -

be aware! Skynet.cz - -->AntiHacker Crew<--


Recommended Action

  • This virus can be blocked at the gateway by not allowing .PIF extensions to be delivered. Using the FortiGate manager, make sure .PIF extensions are blocked using SMTP, IMAP and POP3 services
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option