Virus

W32/Netsky.fam

Analysis

  • Creates a mutex named Rabbo_Mutex  to make sure that there is only one instance of the worm running.
  • Copies itself to the System folder as AVprotect9x.exe.

    Adds the following value to run itself at each Windows startup:
    9xHtProtect = "undefinedWINDOWSundefined\AVprotect9x.exe", where undefinedWINDOWSundefined refers to the Windows folder
    to the following subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Email Propagation
  • Gathers email addresses from the Microsoft Windows Address Book and from the following locations:
    • undefinedWINDOWSundefined\Temporary Internet Files
    • undefinedUSERPROFILEundefined\Local Settings\Temporary Internet Files
    • undefinedSYSTEMundefined\

  • Gathers email addresses from files containing the following extensions on Drives C through Z:
    • .adb
    • .asp
    • .cgi
    • .dbx
    • .dhtm
    • .doc
    • .eml
    • .htm
    • .html
    • .jsp
    • .msg
    • .oft
    • .php
    • .pl
    • .rtf
    • .sht
    • .shtm
    • .tbb
    • .txt
    • .uin
    • .vbs
    • .wab
    • .wsh
    • .xml

  • Uses its own SMTP engine to send itself to email addresses that it finds.
  • Uses the local DNS server, if available, to perform an MX lookup for the recipient address. If the local DNS fails, it will perform the lookup from the following list of hard-coded servers:
    • 12.82.159.180
    • 133.9.220.117
    • 137.132.19.110
    • 137.189.6.1
    • 140.117.100.120
    • 163.121.199.3
    • 168.160.212.8
    • 192.150.249.10
    • 194.2.229.10
    • 194.209.114.1
    • 194.85.8.220
    • 195.112.195.34
    • 195.161.113.189
    • 200.74.214.246
    • 202.30.64.5
    • 202.44.144.33
    • 202.99.104.68
    • 203.162.0.11
    • 203.81.44.47
    • 210.66.241.1
    • 211.169.245.170
    • 217.117.203.2
    • 61.100.23.164
    • 62.32.50.204
    • 81.26.161.16

  • The email has the following format:
    From: [spoofed]
    Subject: one of the following:
    • Re: Requested file
    • Re: My file
    • Re: My document
    • Re: My information
    • Re: My details
    • Re: Information
    • Re: Improved
    • Re: Requested document
    • Re: Document
    • Re: Details
    • Re: Your document
    • Re: Your details
    • Re: Approved

    Message Body: one of the following:
    • Details for undefineds.
    • Document undefineds.
    • I have received your document. The improved document undefineds is attached.
    • I have attached your document undefineds.
    • Your document undefineds is attached to this mail.
    • Authentification for undefineds required.
    • Requested file undefineds.
    • See the file undefineds.
    • Please read the important message msg_undefineds.
    • Please confirm the document undefineds.
    • undefineds is attached.
    • Your file undefineds is attached.
    • Please read the document undefineds.
    • Your document undefineds is attached.
    • Please read the attached file undefineds.
    • Please see the attached file undefineds for details..

    Attachment: one of the following:
    • improved_undefineds.pif
    • message_undefineds.pif
    • detailed_undefineds.pif
    • your_document_undefineds.pif
    • word_doc_undefineds.pif
    • doc_undefineds.pif
    • articel_undefineds.pif
    • picture_undefineds.pif
    • file_undefineds.pif
    • your_file_undefineds.pif
    • details_undefineds.pif
    • document_undefineds.pif
    • undefineds.pif

    Note: undefineds refers to the user name portion of the email address that it sends to.

Recommended Action

    FortiGate systems:
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.