Virus

W32/Netsky.P@mm

Analysis

Update 3-10-2005: Antivirus update v4.623 adds enhanced detection of this threat. Detection originally posted in v4.263 AV update.
Virus is 32 bit with a packed file size of 29,568 bytes, and is a variant of W32/Netsky.N-mm. The virus contains its own SMTP code to send itself by email. This virus uses a combination of multiple subject line and body text possibilities, and implements a known exploit to automatically launch attached executables within email messages. The virus also encrypts a majority of its code.


Load At Windows Startup
If the virus is run, it will write itself to the system and modify the registry to auto run the virus at next Windows startup -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"Norton Antivirus AV" = C:\WINNT\FVProtect.exe

The virus may write itself to the Windows folder as several names -

c:\WINNT\base64.tmp - Base64 encoded copy of virus
c:\WINNT\zip3.tmp - Base64 encoded copy of virus
c:\WINNT\zip2.tmp - Base64 encoded copy of virus
c:\WINNT\zip1.tmp - Base64 encoded copy of virus
c:\WINNT\userconfig9x.dll - 26,624 bytes - virus component, decrypts virus body
c:\WINNT\FVProtect.exe - 29,568 bytes - copy of virus

While memory resident as a process, the virus is referenced by these Mutex names -

_-oOxX|-S-k-y-N-e-t-|Xx[Oo-_
'D'r'o'p'p'e'd'S'k'y'n'e't'


Email Spreading
The virus contains code to send itself as an attachment to an email, to email addresses found on the target computer. The virus will scan the hard drive for email addresses; for each address found, the virus will attempt to use the mail exchange server related to the domain of the email address found. For instance, if the email address is "xyz" at company.com, the virus will run a DNS query for the MX record for "xyz.company.com", then try to send itself as an email attachment.

The virus will avoid selecting email addresses which have any of these strings in it's domain name or prefix -

@antivi
@avp
@bitdefender
@fbi
@f-pro
@freeav
@f-secur
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@skynet
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam@

The email may be in a format which exploits a vulnerability in the MIME format of the email to cause attachments to automatically launch and execute, as in this example -

Content-Type: audio/x-wav;
name="message.scr"

The virus searches inside files with these extensions for what is considered a valid email address -

.jsp
.wsh
.xml

The subject line is chosen at random from a table of possibilities; below is a short list of the actual table -

Fwd: Warning again
Here is it!
Notice again
Please answer quickly!
Please confirm my request.
Please confirm!
Private document
Re: Administration
Re: Approved document
Re: Bad Request
Re: Delivery Protection
Re: Delivery Server
Re: Developement
Re: Encrypted Mail
Re: Error
Re: Extended Mail
Re: Extended Mail System
Re: Failure
Re: Hello
Re: Hi
Re: Is that your document?
Re: Its me
Re: List
Re: Mail Authentification
Re: Mail Server
Re: Message Error
Re: Notify
Re: Order
Re: Proof of concept
Re: Protected Mail Delivery
Re: Protected Mail Request
Re: Protected Mail System
Re: Request
Re: Secure delivery
Re: Secure SMTP Message
Re: SMTP Server
Re: Status
Re: Test
Re: Thank you for delivery
Re: Your document
Shocking document
Spam
Spamed?
Stolen document
Thanks!
Try this, or nothing!
Your details.
Your document.

The email body text is chosen at random from another table of possibilities and includes some of these -

Bad Gateway: The message has been attached.
Delivered message is attached.
Encrypted message is available.
First part of the secure mail is available.
Follow the instructions to read the message.
For further details see the attachment.
For more details see the attachment.
Forwarded message is available.
I have attached your document.
I have received your document. The corrected document is attached.
New message is available.
Now a new message is available.
Partial message is available.
Please authenticate the secure message.
Please read the attachment to get the message.
Protected Mail System Test.
Protected message is attached.
Protected message is available.
Secure Mail System Beta Test.
SMTP: Please confirm the attached message.
Waiting for a Response. Please read the attachment.
Waiting for authentification.
You got a new message.
You have received an extended message. Please read the instructions.
Your document is attached to this mail.
Your requested mail has been attached.


The virus may insert any of these groups of text into the email body to trick the user into believing the file has been scanned with an Antivirus program and was deemed safe -
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com

+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com

+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com

+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com

+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com

++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com

++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com

++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de


The "From" field is forged, and the file attachment will be a copy of the virus.
The attachment may be a Base64 encoded copy of the virus. The virus stores Base64 copies of the virus onto the infected system as these file names -

zip3.tmp
zip2.tmp
zip1.tmp
base64.tmp

The virus then attaches one of the .TMP file as a file name with a .SCR, .EXE or .PIF extension. The attached file could also be a .ZIP file - the name is chosen from a table of possible names such as these -

about_you
abuse_list
abuses
account
all_doc01
all_in_all
application
approved
approved
archive
attach
bill
corrected
d4334938
data
data02
data20
datfiles
detail3
details
details03
details05
doc_word3
doc01
document
document_all
document_all02c
document_with_notice
document01
document04
document05
document07
document09
document342
document43
encrypted_msg01
file
game
game_xxo
id04009
id09509
id43342
important
important
improved
info02
information
letter
letter32
letter43
list_ed
mails9
message
msg
my_details
my_list01
my_numbers
News
news01
part_01
part6
patch3425
patched
pgp_sess01
photo
po44u90ugjid¯k9z5894z0
Postcard
priv
private_01
product
pwd02
readme
report01
sample01
screensaver
signature
software
story
summary2004
text
text01
website
websitelist01
websites01
websites03
word_doc
your_doc
your_document
P2P File Propagation
The virus will search the hard drive for folders that have these strings in the name -

bear
donkey
download
ftp
htdocs
http
icq
kazaa
lime
morpheus
mule
my shared folder
shar
shared files
upload

For each folder found, the virus will copy itself as these file names to those locations -

1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
ACDSee 10.exe
Adobe Photoshop 10 crack.exe
Adobe Photoshop 10 full.exe
Adobe Premiere 10.exe
Ahead Nero 8.exe
Altkins Diet.doc.exe
American Idol.doc.exe
Arnold Schwarzenegger.jpg.exe
Best Matrix Screensaver new.scr
Britney sex xxx.jpg.exe
Britney Spears and Eminem porn.jpg.exe
Britney Spears blowjob.jpg.exe
Britney Spears cumshot.jpg.exe
Britney Spears fuck.jpg.exe
Britney Spears full album.mp3.exe
Britney Spears porn.jpg.exe
Britney Spears Sexy archive.doc.exe
Britney Spears Song text archive.doc.exe
Britney Spears.jpg.exe
Britney Spears.mp3.exe
Clone DVD 6.exe
Cloning.doc.exe
Cracks & Warez Archiv.exe
Dark Angels new.pif
Dictionary English 2004 - France.doc.exe
DivX 8.0 final.exe
Doom 3 release 2.exe
E-Book Archive2.rtf.exe
Eminem blowjob.jpg.exe
Eminem full album.mp3.exe
Eminem Poster.jpg.exe
Eminem sex xxx.jpg.exe
Eminem Sexy archive.doc.exe
Eminem Song text archive.doc.exe
Eminem Spears porn.jpg.exe
Eminem.mp3.exe
Full album all.mp3.pif
Gimp 1.8 Full with Key.exe
Harry Potter 1-6 book.txt.exe
Harry Potter 5.mpg.exe
Harry Potter all e.book.doc.exe
Harry Potter e book.doc.exe
Harry Potter game.exe
Harry Potter.doc.exe
How to hack new.doc.exe
Internet Explorer 9 setup.exe
Kazaa Lite 4.0 new.exe
Kazaa new.exe
Keygen 4 all new.exe
Learn Programming 2004.doc.exe
Lightwave 9 Update.exe
Magix Video Deluxe 5 beta.exe
Matrix.mpg.exe
Microsoft Office 2003 Crack best.exe
Microsoft WinXP Crack full.exe
MS Service Pack 6.exe
netsky source code.scr
Norton Antivirus 2005 beta.exe
Opera 11.exe
Partitionsmagic 10 beta.exe
Porno Screensaver britney.scr
RFC compilation.doc.exe
Ringtones.doc.exe
Ringtones.mp3.exe
Saddam Hussein.jpg.exe
Screensaver2.scr
Serials edition.txt.exe
Smashing the stack full.rtf.exe
Star Office 9.exe
Teen Porn 15.jpg.pif
The Sims 4 beta.exe
Ulead Keygen 2004.exe
Visual Studio Net Crack all.exe
Win Longhorn re.exe
WinAmp 13 full.exe
Windows 2000 Sourcecode.doc.exe
Windows 2003 crack.exe
Windows XP crack.exe
WinXP eBook newest.doc.exe
XXX hardcore pics.jpg.exe


Bagle/MyDoom Virus Clean-up
This virus removes registry keys associated with the W32/MyDoom and W32/Bagle viruses. The virus terminates threads matching specific strings, and deletes keys which are known to be related to the MyDoom and Bagle family of viruses.


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • This virus can be blocked by FortiGate; using the FortiGate manager, enable blocking of .EXE, .PIF, .SCR and .ZIP files using SMTP, POP3 and IMAP services