Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.HLLM.Netsky.17408

Added to the Dr.Web virus database: 2004-04-27

Virus description added:

Description

Win32.HLLM.Netsky.17408 [Netsky.AA] is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The size of the program module of the worm, packed with PECompact is 17, 408 bytes.

Launching

To secure its automatic execution at every Windows startup the worm adds the value
SkynetsRevenge = \\\"%WinDir%\\\\winlogon.scr\\\"
to the registry entry
HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run

Spreading

The worm scans all drives of the infected system from Z to C in search of e-mail addresses. The files with the following extensions are revised:

 
     .ppt    
     .nch    
     .mmf    
     .mht    
     .xml    
     .wsh    
     .jsp    
     .xls    
     .stm    
     .ods    
     .msg    
     .oft    
     .sht    
     .html   
     .htm    
     .pl 
     .dbx    
     .tbb    
     .adb    
     .dhtm   
     .cgi    
     .shtm   
     .uin    
     .rtf    
     .vbs    
     .doc    
     .wab    
     .asp    
     .mdx    
     .mbx    
     .cfg    
     .php    
     .txt    
     .eml
              
the worm will not send mails to the addresses with the following strings:
     ruslis 
     antivir 
     sophos  
     freeav  
     andasoftwa  
     skynet  
     messagelabs 
     abuse   
     fbi 
     orton   
     f-pro   
     aspersky    
     cafee   
     orman   
     itdefender  
     f-secur 
     avp 
     spam    
     ymantec 
     antivi  
     icrosoft   
     
It determines SMTP addresses using the domain names of retrieved in the affected machine. If its fails, it uses its own addresses the list of which is kept in the worm’s body:
        212.44.160.8    
     195.185.185.195 
     151.189.13.35   
     213.191.74.19   
     193.189.244.205 
     145.253.2.171   
     193.141.40.42   
     193.193.144.12  
     217.5.97.137    
     195.20.224.234  
     194.25.2.130    
     194.25.2.129    
     212.185.252.136 
     212.185.253.70  
     212.185.252.73  
     62.155.255.16   
     194.25.2.134    
     194.25.2.133    
     194.25.2.132    
     194.25.2.131    
     193.193.158.10  
     212.7.128.165  
     212.7.128.162  
          
The mail message infected with the worm may look as follows.

The sender’s name and address are spoofed by the worm.

The subject is chosen from the following list:

     
     Re: Job 
     Re: Pricelist   
     Re: Patch   
     Re: Poster  
     Re: Final   
     Re: Demo    
     Re: War 
     Re: Cheaper 
     Re: Fax number  
     Re: Advice  
     Re: Presentation    
     Re: Movie   
     Re: Website 
     Re: Product 
     Re: Letter  
     Re: Missed  
     Re: Error   
     Re: Bill    
     Re: e-Books 
     Re: Contacts    
     Re: Paint file  
     Re: Text file   
     Re: List    
     Re: Tel. Numbers    
     Re: Application 
     Re: Music   
     Re: Step by Step    
     Re: Summary 
     Re: Hello   
     Re: Hi  
     Re: Information 
     Re: Private 
     Re: Photos  
     Re: Details 
     Re: Thank you!  
     Re: Text    
     Re: Approved    
     Re: Document  
         
The message body can be one of the following:
     For furher details see the attached file.   
     Your file is attached.  
     Please read the attached file.  
     Please have a look at the attached file.    
     Please take the attached file.  
     See the attached file for details.  
     Please view the attached file.  
     Here is the file.   
     Your document is attached.
     
Attachment:
     Your_Job.pif    
     Your_Pricelist.pif  
     Your_Patch.pif  
     Your_Poster.pif 
     Your_Final_Document.pif
     Your_Demo.pif   
     Osam_Bin_Laden_Articel_42.pif   
     Your_Product_List.pif   
     My_Fax_Numbers.pif  
     My_Advice.pif   
     Your_Presentation.pif   
     Your_Movie.pif  
     Your_Website.pif    
     Your_Product.pif    
     Your_Letter.pif 
     Your_Excel_Document.pif
     Your_Error.pif  
     Your_Bill.pif   
     Your_E-Books.pif   
     Your_Contacts.pif   
     Your_Paint_File.pif 
     Your_Text_File.pif  
     Your_List.pif   
     My_Telephone_Numbers.pif    
     Your_Software.pif   
     Your_Music.pif  
     Your_Description.pif    
     Your_Summary.pif    
     Your_Digicam_Pictures.pif   
     Your_Information.pif    
     Your_Private_Document.pif   
     Your_Pics.pif   
     Your_Details.pif    
     Your_Document_Part3.pif 
     Your_Text.pif   
     Your_Document.pif     
                 

Action

Being executed, the worm creates a mutex “MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D”. It drops its copy winlogon.scr to the Windows folder (in Windows 9x/ME/XP it’s C:\\\\Windows, in Windows NT/2000 it’s C:\\\\WINNT ).