Home / malware

PDF

Win32.Netsky.D@mm

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Netsky.D@mm is also known as Email-Worm.Win32.NetSky.d, Win32/Netsky.D@mm, Win32.HLLM.Netsky, W32.Netsky.D@mm.

Explanation :

The malware is packed with the PEtite packer. It uses a mutex named "[SkyNet.cz]SystemMutex" to ensure that a single instance of it is running. If copies itself in the Windows directory (usually c:\windows) with the name winlogon.exe and creates a string value with the name "ICQ Net" in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the contents "%Windows%\winlogon.exe -stealth", where %Windows% is the windows directory. This ensures that it is run when starting Windows.

The malware searches through all the available drives (A trough Z) which are not of CD-ROM type (this includes floppy drives, USB drives and network shares mapped with drive letters) for files with the following extensions:

.adb.asp.cgi.dbx.dhtm.doc.eml.htm.html.msg.oft.php.pl.rtf.sht.shtm.tbb.txt.uin.vbs.wab

for e-mail addresses. Addresses which contain any of the following strings as part of them are not collected (presumably to thwart the detection and investigation of this malware):

skynetmessagelabsabusefbiortonf-proasperskycafeeormanitdefenderf-securavpspamymantecantiviicrosoft

When an Internet connection is detected, it tries to send itself to the collected e-mail addresses. For this purpose it uses its built-in SMPT engine and the system default DNS to get the MX records for the target domains. If it fails to obtain the MX records with the system default DNS server, it will try the following alternate DNS servers:

212.44.160.8195.185.185.195151.189.13.35213.191.74.19193.189.244.205145.253.2.171193.141.40.42194.25.2.134194.25.2.133194.25.2.132194.25.2.131193.193.158.10212.7.128.165212.7.128.162193.193.144.12217.5.97.137195.20.224.234194.25.2.130194.25.2.129212.185.252.136212.185.253.70212.185.252.7362.155.255.16

The sent e-mail will have in the subject field one of the following strings:

Re: Your websiteRe: Your productRe: Your letterRe: Your archiveRe: Your textRe: Your billRe: Your detailsRe: My detailsRe: Word fileRe: Excel fileRe: DetailsRe: ApprovedRe: Your softwareRe: Your musicRe: HereRe: Re: Re: Your documentRe: HelloRe: HiRe: Re: MessageRe: Your pictureRe: Here is the documentRe: Your documentRe: Thanks!Re: Re: Thanks!Re: Re: DocumentRe: Document

And it will contain an attachment (consisting of a copy of the virus) with one of the following possible names:

your_website.pifyour_product.pifyour_letter.pifyour_archive.pifyour_text.pifyour_bill.pifyour_details.pifdocument_word.pifdocument_excel.pifmy_details.pifall_document.pifapplication.pifmp3music.pifyours.pifdocument_4351.pifyour_file.pifmessage_details.pifyour_picture.pifdocument_full.pifmessage_part2.pifdocument.pifyour_document.pif

It tries to delete the following registry keys related to other malware in an attempt to prevent them from running:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Windows Services HostHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatchHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINFHKEY_LOCAL_MACHINE\SoftwareMicrosoft\Windows\CurrentVersion\Run\SentryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OLEHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunserviceHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAvHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAvHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\au.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\DELETE MEHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\msgsvr32

Last update 21 November 2011

 

TOP