Win32.HLLM.Netsky.18348

Description

Win32.HLLM.Netsky.18348 [Netsky.W] is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The size of the program module of the worm (UPX-packed) is 24, 064 bytes.
the worm disseminates via e-mail using its own SMTP engine. It deletes keys and values created in the system registry by other malwares.

Launching

To secure its automatic execution at every Windows startup the worm adds the value
\"NetDy\"=\"%WinDir%\\VisualGuard.exe\"
to the registry entry
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

Spreading

The worm harvests e-mail addresses from files with the following extensions:

 
   .adb
   .asp
   .cgi
   .dbx
   .dhtm
   .doc
   .eml
   .htm
   .html
   .jsp
   .msg
   .oft
   .php
   .pl
   .rtf
   .sht
   .shtm
   .tbb
   .txt
   .uin
   .vbs
   .wab
   .wsh
   .xml

The mail message infected with the worm may look as follows.

The subject is composed of several parts.

Part 1:

     
   Re: 
   Re: Re:

Part 2

   my
   your
   read it immediately 
   important 
   improved 
   patched 
   corrected 
   approved 
   thanks! 
   hello 
   hi 
   here 
   document_all 
   text 
   message 
   data 
   excel document 
   word document 
   bill 
   screensaver 
   application 
   website 
   product 
   letter 
   information 
   details 
   file 
   document 
   important 
   approved

The Message body can be one of the following:

   Your details.
   Your document.
   I have received your document. The corrected document is attached.
   I have attached your document.
   Your document is attached to this mail.
   Authentication required.
   Requested file.
   See the file.
   Please read the important document.
   Please confirm the document.
   Your file is attached.
   Please read the document.
   Your document is attached.
   Please read the attached file.
   Please see the attached file for details.

the text ends with a so-called signature:

   
   --------------------------------------------
   [attachment]: No virus found
   Powered by the new Norton OnlineScan
   Get protected: www.symantec.com

followed by Symantec’s logo.

Attachment:

   
   document_all_%s 
   text_%s 
   message_%s 
   data_%s 
   excel document_%s 
   word document_%s 
   bill_%s 
   screensaver_%s 
   application_%s 
   website_%s 
   product_%s 
   letter_%s 
   information_%s 
   details_%s 
   file_%s 
   document_%s

where %s is a part of the recipient’s e-mail address before @. The extensions of the attachment can be .zip, .scr, .exe or .pif.

Action

Being executed, the worm creates a mutex “NetDy_Mutex_Psycho” . It drops to the Windows folder (in Windows 9x/ME/XP it’s C:\\Windows, in Windows NT/2000 it’s C:\\WINNT ) its copy named VisualGuard.exe. In the same folder the worm creates several more files:

base64.tmp – worm’s base64 copy sent via e-mail
zip1.tmp, zip2.tmp, zip3.tmp, zip4.tmp, zip5.tmp, zip6.tmp –base64 archived copies of the worm
zipped.tmp – worm’s temporary WinZip copy

The worm makes the following changes in the system registry:

It deletes the values
Explorer
System.
msgsvr32
Service
DELETE ME
Sentry
Taskmon
Windows Services Host
from the registry entry
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\
It delete values
Explorer
au.exe
d3dupdate.exe
OLE
gouday.exe
rate.exe
Windows Services Host
Taskmon
sysmon.exe
srate.exe
ssate.exe from the registry entry
HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\
It deletes the value System.
from the registry entry
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices\\
It deletes the following keys:
HKCR\\CLSID\\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\\InProcServer32
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PINF
HKLM\\System\\CurrentControlSet\\Services\\WksPatch

Technologies

Terminology

Training and education

Myths