Internet Worm Summary
Internet Worm Name Risk Assessment
W32/Netsky.s@MM Corporate User : Medium
Home User : Medium
Internet Worm Information
Discovery Date: 04/05/2004
Origin: Unknown
Length: 18,432 bytes (UPX packed)
Type: Internet Worm
SubType: E-mail worm
Minimum DAT: 4348 (04/06/2004)
Updated DAT: 4354 (04/28/2004)
Minimum Engine: 4.2.40
Description Added: 04/05/2004
Description Updated: 04/07/2004 1:31 PM (PT)
Internet Worm Characteristics
-- Update April 6th, 2004 --
Due to increased prevalence, this threat has had its risk assessment raised to Medium.
If you think that you may be infected with Netsky.s, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.
-- Update April 05, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/article2/0,1759,1561746,00.asp
This variant of W32/Netsky@MM bears similarities to the previous members of this family. The worm bears the following characteristics:
constructs messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the From: address of messages
opens a port on the victim machine (TCP 6789)
delivers a DoS attack on certain web sites upon a specific date condition
Mail Propagation
Email addresses are harvested from the victim machine. Files with the following extensions are searched:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wsh
.wab
.xls
.xml
Constructed messages bear the following characteristics:
From: this is spoofed (using harvested email addresses)
Subject: various subject lines may be used, for example:
Hello!
Hi!
Re: Important
Important
Re: My details
My details
Re: Your information
Your information
Re: Your details
Your details
Re: Your document
Your document
Re: Request
Request
Re: Thanks you!
Thank you!
Re: Approved
Approved
Re: Hello
Re: Hi
Hello
Hi
Body: various message bodies may be constructed using a pool of strings within the worm:
Attachment: The attachment has a .PIF extension. The filename is constructed from one of the following strings, with a random number appended to it:
account
postcard
sample
developement
concept
story
report
icq_number
e-mail
phone_number
personal_message
photo_document
order
important_document
diggest
final_version
release
answer
bill
notice
requested_document
description
summary
picture_document
movie_document
approved_document
old_document
document
mail
letter
homepage
detailed_document
powerpoint_document
excel_document
word_document
info
information
text
new_document
textfile
user_list
improved_file
secound_document
file
number_list
contact_list
message
note
improved_document
details
instructions
presentation_document
abuse_list
archive
corrected_document
list
approved_file
Example:
Denial of Service
If the local system date is between April 14th and April 23rd when the worm starts up, it targets the following remote servers in a denial of service attack:
www.keygen.us
www.freemule.net
www.kazaa.com
www.emule.de
www.cracks.am
System Changes
The worm installs itself on the victim machine as EASYAV.EXE in the Windows directory. For example:
%WinDir%\EASYAV.EXE
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "EasyAV" = %WinDir%\EASYAV.EXE
A base-64 encoded copy of the worm is saved to disk as UINMZERTINMDS.OPM in the Windows directory:
%WinDir%\UINMZERTINMDS.OPM
Remote Access Component
The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.
Symptoms
Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
212.44.160.8
195.185.185.195
151.189.13.35
213.191.74.19
193.189.244.205
145.253.2.171
193.141.40.42
194.25.2.134
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
212.7.128.162
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
212.185.253.70
212.185.252.73
Existence of the files/Registry keys detailed above
TCP port 6789 open on the victim machine
Method Of Infection
This worm spreads by email, constructing messages using its own SMTP engine.
Removal Instructions
All Users
The current engine/DAT files are requried for detection and removal.
Additional Windows ME/XP removal considerations
Stinger
Stinger has been updated to assist in detecting and repairing this threat.
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
Delete the following files from the infected machine:
%WinDir%\EASYAV.EXE
%WinDir%\UINMZERTINMDS.OPM
Edit the registry
Remove the following Registry key which the worm adds to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\
CurrentVersion\Run
"EasyAV" = %WinDir%\EASYAV.EXE
Reboot the system into default mode
McAfee Threatscan
Detection of the W32/Netsky.s@MM virus is available in the generic Netsky detection module.
ThreatScan signatures that can detect the W32/Netsky.s@MM virus are available from:
Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt ftp.nai.com/pub/security/tsc25/updates/winnt ftp.nai.com/pub/security/tsc25/updates/winnt
Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt
ThreatScan Signature version: 2004-04-06
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:
Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
-or-
Select the "Other" category and "Scan All Vulnerabilities" template.
For additional information:
Run the "ThreatScan Template Report"
Look for module number #4066
Variants
Name Type Sub Type Differences
no known variants
Aliases
Name
W32/Netsky-S (Sophos)
W32/Netsky.S.worm (Panda)
WORM_NETSKY.S (Trend)
|