Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.HLLM.Netsky

(W32/Patched.AF, I-Worm/Netsky.Z, Virus:Win32/Resourcer.A, Backdoor.Win32.Rbot.aus, PE_RESOURCER.A, Win32/PEPatch, Email-Worm.Win32.NetSky.aa, Parser error, W32/Resourcer, Worm/Netsky.AA, Trojan.Proxy.Agent.DA, I-Worm/Netsky.ED, Possible_Mlwr-13, TR/Patched.AF.56, W32.Netsky.AN@mm, WORM_NETSKY.Z, TR/Crypt.UPKM.Gen, WORM_NETSKY.GEN, Trojan.Win32.Patched.af, W32/Buchon!keylog, I-Worm/Netsky.EY, Trojan.Agent.XX, Win32.Netsky.AA@mm, Worm/Netsky.AH)

Virus description added:

Virus Type: Mass mailing worms.

Affected OS: Win95/98/Me/2000/XP

Size: can be 25 352 byte, 17 424 byte, 24 840 byte, 22 016 byte, 18 944 byte, 31 232 byte

Packed by: can be packed by PETITE, PEPACK, PCPEC, UPX, PECOMPACT

Technical Information

  • For providing unattended startup of its copies during each Windows reboot, various worm modifications can insert data

    C:\Windows\winlogon.exe -stealth ,
    C:\Windows\MsnMsgrs.exe -alev ,
    C:\Windows\fooding.exe –antivirus

    into HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ of registry.

  • Worm extracts addresses for email distribution out of files with the following extensions:

    .dhtm
    .cgi
    .shtm
    .msg
    .oft
    .sht
    .dbx
    .tbb
    .adb
    .doc
    .wab
    .asp
    .uin
    .rtf
    .vbs
    .html
    .htm
    .pl
    .php
    .txt
    .eml
  • For spreading due file exchange networks worms copy themselves in general folders with the following filenames:

    The Sims 3 crack.exe
    Lightwave SE Update.exe
    Ulead Keygen.exe
    Smashing the stack.rtf.exe
    IE58.1 full setup.exe
    Opera.exe
    DivX 7.0 final.exe
    WinAmp 12 full.exe
    Cracks & Warez Archive.exe
    Visual Studio Net Crack.exe
    ACDSee 9.exe
    MS Service Pack 5.exe
    Clone DVD 5.exe
    Magix Video Deluxe 4.exe
    Star Office 8.exe
    Partitionsmagic 9.0.exe
    Gimp 1.5 Full with Key.exe
    Norton Antivirus 2004.exe
    Windows Sourcecode.doc.exe
    Keygen 4 all appz.exe
    3D Studio Max 3dsmax.exe
    1000 Sex and more.rtf.exe
    RFC Basics Full Edition.doc.exe
    Dictionary English - France.doc.exe
    Win Longhorn Beta.exe
    WinXP eBook.doc.exe
    Learn Programming.doc.exe
    How to hack.doc.exe
    Doom 3 Beta.exe
    E-Book Archive.rtf.exe
    Virii Sourcecode.scr
    Ahead Nero 7.exe
    Full album.mp3.pif
    Screensaver.scr
    Serials.txt.exe
    Microsoft Office 2003 Crack.exe
    XXX hardcore pic.jpg.exe
    Dark Angels.pif
    Porno Screensaver.scr
    Best Matrix Screensaver.scr
    Adobe Photoshop 9 full.exe
    Adobe Premiere 9.exe
    Teen Porn 16.jpg.pif
    Microsoft WinXP Crack.exe
  • Subjects of distributed messages are selected from the following list. Most often one can find messages notifying that user's email address is deactivated or closed and it's suggested to user to learn details:
    Your mail account expired. Please follow the link to reactivate.
    Your mail account has been closed. Click on the link for further details.
    Your mail account has been deactivated. To reactivate, follow the link.
    Mail account expired
    Mail account closed
    Mail account deactivated
    Your file is attached.
    Please read the attached file.
    Please have a look at the attached file.
    See the attached file for details.
    Here is the file.
    Your document is attached.
    me veja peladinha
    gostaria disso e voce???
    algo a mais falea verdade!!!
    ganhe muita grana
    campanhadafome
    pq nao me liga??
    sinto voce!!
    grana
    Lembra? amor me liga
    Hackers do Brasil
    Medical Labs Exames!!!
    meu telefone liga
    ferias nos E.U.A
    Surto :(
    Vacina contra o HIV!!
    sua conta bancaria zerada
    olha que isso!!!
    parabens!
    te amo!
    Policia SP
    Sua Conta!!
    Boleto Pague
    veja o que tem no zip e me liga receitas de bolo!!
    acrdito que em voce!!!
    promocao de viajens de fim de ano
    tudo sobre voce sabe
    Proposta de emprego!!
    estou doente veja!!!
    me diz o queacha?
    retorna logo isso!!
    arquivo zipado PGP???
    voce passou
    :D!!!
    ve ai logo ta
    AMA!
    AmaVoce
    Abra rapido isso!!!!
    reza de sao tome!!!!.
    veja detalhes!!!.
    encontro voce!
    preenche ai ta bom
    PizzaVeneza!
    vaca
    tetas
    war3!
    AIDS!
    grana
    banco!
    revista lulao!
    imposto jogo!
    loterias
    vips!
    missao
    vadias!
    email
    flipe
    botao
    sampa!!
    contas!!
    zerado
    :(
    criancas!
    brasil!
    lantrocidade
    aqui
    docs
    festa!!
    LINUSTOR
    bingos!
    agua!
    :D
    sorteado!!
    grana!!
    dinheiro!!
    carros!
    voce
    :-)
    ???
    circular
    agradou
    diga
    robos!
    impressao!!
    massas!
    pescaria por kilo
    Sua saude esta bem? morto :)
  • Worm copies, which are attached to message body, can be either with single or double extension. Examples:
  • your_website.pif
    your_product.pif
    your_letter.pif
    your_archive.pif
    your_text.pif
    your_bill.pif
    your_details.pif
    document_word.pif
    document_excel.pif
    my_details.pif
    all_document.pif
    application.pif
    mp3music.pif
    yours.pif
    document_4351.pif
    your_file.pif
    message_details.pif
    your_picture.pif
    document_full.pif
    message_part2.pif
    document.pif
    your_document.pif
    vota!.zip.scr
    aninha gatinha!.zip.scr
    importante!!!!!.zip.scr
    minhavida!.zip.exe
    comoserrico!.zip.scr
    vida!!.zip.scr
    receitas de bolo!!.zip.scr
    celulares!!.zip.scr
    clica ai logo meu.scr
    rede globo tv!.zip.scr
    rocha.scr
    paula!.scr
    Carnaval em Salvador!!.zip.scr
    vadias peladas!!.scr
    cafe!!.zip.scr
    traficoemSP!.scr
    MulataDandoOcujpg.scr
    multas.pif
    caspa.scr
    barrio.scr
    ResidentEvil2.zip.scr
    puteiros!!.scr
    Canaval2004!.jpg.pif
    VivaNaBaia!.scr

  • Worms don’t perform spreading to the addresses, which contain following substring:
    abuse
    fbi
    orton
    f-pro
    aspersky
    cafee
    orman
    itdefender
    f-secur
    avp
    spam
    ymantec
    antivi
    icrosoft
    iruslis
    andasoftwa
    skynet
  • Delete all keys (and their data) which are listed below:
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAV
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run\msgsvr32
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run\service
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Sentry
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Host HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DELETE ME
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run\au.exe
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
      HKLM\System\CurrentControlSet\Services\WksPatch

  • Can contain in their body IP-addresses of German, Swiss and Dutch sites, which are holding DoS-attacks.
  • Can contain text string of expressive nature, which are addressed to authors of email worms families - MyDoom and Beagle. For example:

    Hey Bagle, feel our revenge!
    MyDoom and Bagle are spammer we are the skynet - you can't hide yourself! - we kill malware writers (they have no chance!) - [LaMeRz-->]MyDoom.F is a thief of our idea! - -< SkyNet AV vs. Malware >- ->->

  • System Recovery Information
    1. Load Windows in Safe Mode.
    2. Scan computer with Dr.Web® Scanner or freeware utility Dr.Web® CureIT!. It's necessary to apply action "Cure" to all infected files which were found.
    3. Recover system registry from backup copy.

    Important! Directly before doing of item 2, it's necessary to adjust the used email client so that it stored attachments as separate files, instead of in a body of email base. For example, storage of attachments separately from email base in email client TheBat! is adjusted as follows:
    Account - Properties - Files & Directories - Keep attachment files - Separately in a special directory.