Virus Information
Prevalence:
High
Name: Win32.Netsky.D@mm
Type:
How it spreads: The malware is packed with the PEtite packer. It uses a mutex named "[SkyNet.cz]SystemMutex" to ensure that a single instance of it is running. If copies itself in the Windows directory (usually c:\\w
Affected operating:
Aliases: Email-Worm.Win32.NetSky.d, Win32/Netsky.D@mm, Win32.HLLM.Netsky, W32.Netsky.D@mm
Date of surface: Feb 29 2004 12:00AM
HighName: Win32.Netsky.D@mm
Type:
How it spreads: The malware is packed with the PEtite packer. It uses a mutex named "[SkyNet.cz]SystemMutex" to ensure that a single instance of it is running. If copies itself in the Windows directory (usually c:\\w
Affected operating:
Aliases: Email-Worm.Win32.NetSky.d, Win32/Netsky.D@mm, Win32.HLLM.Netsky, W32.Netsky.D@mm
Date of surface: Feb 29 2004 12:00AM
The malware is packed with the PEtite packer. It uses a mutex named "[SkyNet.cz]SystemMutex" to ensure that a single instance of it is running. If copies itself in the Windows directory (usually c:\\windows) with the name winlogon.exe and creates a string value with the name "ICQ Net" in the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the contents "%Windows%\\winlogon.exe -stealth", where %Windows% is the windows directory. This ensures that it is run when starting Windows. The malware searches through all the available drives (A trough Z) which are not of CD-ROM type (this includes floppy drives, USB drives and network shares mapped with drive letters) for files with the following extensions: .adb.asp.cgi.dbx.dhtm.doc.eml.htm.html.msg.oft.php.pl.rtf.sht.shtm.tbb.txt.uin.vbs.wab for e-mail addresses. Addresses which contain any of the following strings as part of them are not collected (presumably to thwart the detection and investigation of this malware): skynetmessagelabsabusefbiortonf-proasperskycafeeormanitdefenderf-securavpspamymantecantiviicrosoftWhen an Internet connection is detected, it tries to send itself to the collected e-mail addresses. For this purpose it uses its built-in SMPT engine and the system default DNS to get the MX records for the target domains. If it fails to obtain the MX records with the system default DNS server, it will try the following alternate DNS servers: 212.44.160.8195.185.185.195151.189.13.35213.191.74.19193.189.244.205145.253.2.171193.141.40.42194.25.2.134194.25.2.133194.25.2.132194.25.2.131193.193.158.10212.7.128.165212.7.128.162193.193.144.12217.5.97.137195.20.224.234194.25.2.130194.25.2.129212.185.252.136212.185.253.70212.185.252.7362.155.255.16The sent e-mail will have in the subject field one of the following strings: Re: Your websiteRe: Your productRe: Your letterRe: Your archiveRe: Your textRe: Your billRe: Your detailsRe: My detailsRe: Word fileRe: Excel fileRe: DetailsRe: ApprovedRe: Your softwareRe: Your musicRe: HereRe: Re: Re: Your documentRe: HelloRe: HiRe: Re: MessageRe: Your pictureRe: Here is the documentRe: Your documentRe: Thanks!Re: Re: Thanks!Re: Re: DocumentRe: Document And it will contain an attachment (consisting of a copy of the virus) with one of the following possible names: your_website.pifyour_product.pifyour_letter.pifyour_archive.pifyour_text.pifyour_bill.pifyour_details.pifdocument_word.pifdocument_excel.pifmy_details.pifall_document.pifapplication.pifmp3music.pifyours.pifdocument_4351.pifyour_file.pifmessage_details.pifyour_picture.pifdocument_full.pifmessage_part2.pifdocument.pifyour_document.pif It tries to delete the following registry keys related to other malware in an attempt to prevent them from running: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run Windows Services HostHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\WksPatchHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PINFHKEY_LOCAL_MACHINE\\Software\Microsoft\\Windows\\CurrentVersion\\Run\\SentryHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OLEHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\serviceHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\KasperskyAvHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\KasperskyAvHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\au.exeHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\d3dupdate.exeHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DELETE MEHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\msgsvr32
For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.
You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.
Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.
You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.
Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.
