Win32.Netsky.AB@mm
SYMPTOMS: The file winlogon.scr in %windir% folderThe presence of the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ SkynetsRevenge with value %WINDIR%\winlogon.scr TECHNICAL DESCRIPTION: The worm has the following e-mail format:Attachment: Randomly chosen from the following list: "Your_Document.pif" "Your_Document.pif" "Your_Text.pif" "Your_Document_Part3.pif" "Your_Details.pif" "Your_Pics.pif" "Your_Private_Document.pif" "Your_Information.pif" "Your_Document.pif" "Your_Digicam_Pictures.pif" "Your_Summary.pif" "Your_Description.pif" "Your_Music.pif" "Your_Software.pif" "My_Telephone_Numbers.pif" "Your_List.pif" "Your_Text_File.pif" "Your_Paint_File.pif" "Your_Contacts.pif" "Your_E-Books.pif" "Your_Bill.pif" "Your_Error.pif" "Your_Excel_Document.pif" "Your_Letter.pif" "Your_Product.pif" "Your_Website.pif" "Your_Movie.pif" "Your_Presentation.pif" "My_Advice.pif" "My_Fax_Numbers.pif" "Your_Product_List.pif" "Osam_Bin_Laden_Articel_42.pif" "Your_Demo.pif" "Your_Final_Document.pif" "Your_Poster.pif" "Your_Patch.pif" "Your_Pricelist.pif" "Your_Job.pif" Body: Randomly chosen from the following list: Your document is attached. Here is the file. Please view the attached file. See the attached file for details. Please take the attached file. Please have a look at the attached file. Please read the attached file. Your file is attached. For furher details see the attached file. Subject: Randomly chosen from the following list: "Re: Document" "Re: Approved" "Re: Text" "Re: Thank you!" "Re: Details" "Re: Photos" "Re: Private" "Re: Information" "Re: Hi" "Re: Hello" "Re: Summary" "Re: Step by Step" "Re: Music" "Re: Application" "Re: Tel. Numbers" "Re: List" "Re: Text file" "Re: Paint file" "Re: Contacts" "Re: e-Books" "Re: Bill" "Re: Error" "Re: Missed" "Re: Letter" "Re: Product" "Re: Website" "Re: Movie" "Re: Presentation" "Re: Advice" "Re: Fax number" "Re: Cheaper" "Re: War" "Re: Demo" "Re: Final" "Re: Poster" "Re: Patch" "Re: Pricelist" "Re: Job" When the worm is executed it creates the following mutex to assure that there will be only one instance of itself running: MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D Then it copies itself to %WINDIR% folder under the name: Winlogon.scr And it adds the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SkynetsRevenge with value %WINDIR%\winlogon.scr After this it creates a thread to search for e-mail addresses and 8 threads to send itself to all e-mail addresses it finds. When first run it displays a message box with the following message: Error Out of system memory The worm searches for e-mail addresses on physical drives from c: to z:. It will only search for e-mail addresses in files with the following extensions: .eml .txt .php .cfg .mbx .mdx .asp .wab .doc .vbs .rtf .uin .shtm .cgi .dhtm .adb .tbb .dbx .pl .htm .html .sht .oft .msg .ods .stm .xls .jsp .wsh .xml .mht .mmf .nch .ppt In the same time it will send itself to all e-mail addresses it finds skipping all e-mails containing the following strings: "icrosoft" "antivi" "ymantec" "spam" "avp" "f-secur" "itdefender" "orman" "cafee" "aspersky" "f-pro" "orton" "fbi" "abuse" "messagelabs" "skynet" "andasoftwa" "freeav" "sophos" "antivir" "iruslis" Removal instructions: Automatic removal: let BitDefender disinfect infected filesANALYZED BY: Sorin Victor Dudea BitDefender AntiVirus Researcher |