Virus

W32/Netsky.Q@mm

Analysis


Specifics
Virus is 32 bit with a packed file size of 28,008 bytes, and is a variant of W32/Netsky.P-mm. The virus contains its own SMTP code to send itself by email. This virus uses a combination of multiple subject line and body text possibilities, and implements a known exploit to automatically launch attached executables within email messages. The virus also encrypts a majority of its code. The virus contains a denial of service attack which targets these web sites -

www.edonkey2000.com
www.kazaa.com
www.emule-project.net
www.cracks.am
www.cracks.st


Load At Windows Startup
If the virus is run, it will write itself to the system and modify the registry to auto run the virus at next Windows startup -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"SysMonXP" = C:\WINNT\SysMonXP.exe

The virus may write itself to the Windows folder as several names -

c:\WINNT\base64.tmp - Base64 encoded copy of virus
c:\WINNT\zipo0.txt - Base64 encoded copy of virus
c:\WINNT\zipo1.txt - Base64 encoded copy of virus
c:\WINNT\zipo2.txt - Base64 encoded copy of virus
c:\WINNT\zipo3.txt - Base64 encoded copy of virus
c:\WINNT\zippedbase64.tmp - Base64 encoded copy of the virus
c:\WINNT\sysmonxp.exe - 28,008 bytes - copy of virus
c:\WINNT\firewalllogger.txt - 23,040 bytes - virus component

While memory resident as a process, the virus is referenced by this Mutex name -

-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_


Email Spreading
The virus contains code to send itself as an attachment to an email, to email addresses found on the target computer. The virus will scan the hard drive for email addresses; for each address found, the virus will attempt to use the mail exchange server related to the domain of the email address found. For instance, if the email address is "xyz" at company.com, the virus will run a DNS query for the MX record for "xyz.company.com", then try to send itself as an email attachment.

The virus will avoid selecting email addresses which have any of these strings in it's domain name or prefix -

@antivi
@avp
@bitdefender
@fbi
@f-pro
@freeav
@f-secur
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@skynet
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam@

The email may be in a format which exploits a vulnerability in the MIME format of the email to cause attachments to automatically launch and execute. The virus searches inside files with these extensions for what is considered a valid email address -

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml

The subject line is chosen at random from a table of possibilities; below is a short list of the actual table -

Delivery Bot
Server Error
Deliver Mail
Delivery Failed
Unknown Exception
Failed
Failure
Status
Error
Delivered Message
Mail System
Mail Delivery System
Mail Delivery failure
Delivery
Delivery Failure
Delivery Error

The email body text is chosen at random from another table of possibilities and includes some of these -

Note: Received message has been sent as a binary file.
Modified message has been sent as a binary attachment.
Received message has been sent as an encoded attachment.
Translated message has been attached.
Message has been sent as a binary attachment.
Received message has been attached.
Partial message is available and has been sent as a binary attachment.
The message has been sent as a binary attachment.
Delivery Agent - Translation failed
Delivery Failure - Invalid mail specification
Mail Delivery Failure - This mail couldn't be shown.
Mail Delivery System - This mail contains binary characters
Mail Transaction Failed - This mail couldn't be converted
Mail Delivery Error - This mail contains unicode characters
Mail Delivery Failed - This mail couldn't be represented


The "From" field is forged, and the file attachment will be a copy of the virus.
The attachment may be a Base64 encoded copy of the virus. The virus stores Base64 copies of the virus onto the infected system as these file names -

c:\WINNT\zipo0.txt - Base64 encoded copy of virus
c:\WINNT\zipo1.txt - Base64 encoded copy of virus
c:\WINNT\zipo2.txt - Base64 encoded copy of virus
c:\WINNT\zipo3.txt - Base64 encoded copy of virus
c:\WINNT\zippedbase64.tmp - Base64 encoded copy of the virus

The virus then attaches one of the .TMP file as a file name with a .SCR or .PIF extension. The attached file could also be a .ZIP file - the name is chosen from a table of possible names such as these -

data
mail
msg
message


P2P/Cracks Website DoS Payload
The virus contains a DoS attack routine which targets these web sites -

www.edonkey2000.com
www.kazaa.com
www.emule-project.net
www.cracks.am
www.cracks.st

The virus sends a simple GET request in rapid succession in an attempt to cause a DoS condition against the target.

Bagle/MyDoom Virus Clean-up
This virus removes registry keys associated with the W32/MyDoom and W32/Bagle viruses. The virus terminates threads matching specific strings, and deletes keys which are known to be related to the MyDoom and Bagle family of viruses.


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • This virus can be blocked by FortiGate; using the FortiGate manager, enable blocking of .EXE, .PIF, .SCR and .ZIP files using SMTP, POP3 and IMAP services