Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


W32/Netsky.q@MM

03/30/04 - W32/Netsky.q@MM

A new variant of W32/Netsky@MM has been received which spreads through email like its predecessors. The main component is 28,008 bytes (Petite packed) long.

When run, the worm copies itself to the Windows directory as:

SysMonXP.exe
It creates the following files in the same directory:

c:\WINDOWS\base64.tmp
c:\WINDOWS\firewalllogger.txt
c:\WINDOWS\zipo0.txt (Base64 encoded)
c:\WINDOWS\zipo1.txt (Base64 encoded)
c:\WINDOWS\zipo2.txt (Base64 encoded)
c:\WINDOWS\zipo3.txt (Base64 encoded)
c:\WINDOWS\zippedbase64.tmp
c:\WINDOWS\sysmonxp.exe
Note: Where the Base64 archives are different in binary.

The following registry keys are created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "SysMonXP" = Data: C:\WINDOWS\SysMonXP.exe

Note: Where %WinDir% is the Windows directory.

Mail Propagation

The worm arrives as an email attachment. The message content varies. Some examples are as follows:

Subject:

Delivery Bot (%recipient email address %)
Server Error (%recipient email address %)
Deliver Mail (%recipient email address %)
Delivery Failed (%recipient email address %)
Unknown Exception (%recipient email address %)
Failed (%recipient email address %)
Failure (%recipient email address %)
Status (%recipient email address %)
Error (%recipient email address %)
Delivered Message (%recipient email address %)
Mail System (%recipient email address %)
Mail Delivery System (%recipient email address %)
Mail Delivery failure (%recipient email address %)
Delivery (%recipient email address %)
Delivery Failure (%recipient email address %)
Delivery Error (%recipient email address %)
Body:

Received message has been sent as a binary file.
Modified message has been sent as a binary attachment.
Received message has been sent as an encoded attachment.
Translated message has been attached.
Message has been sent as a binary attachment.
Received message has been attached.
Partial message is available and has been sent as a binary attachment.
The message has been sent as a binary attachment.
Delivery Agent - Translation failed
Delivery Failure - Invalid mail specification
Mail Delivery Failure - This mail couldn't be shown
Mail Delivery System - This mail contains binary characters
Mail Transaction Failed - This mail couldn't be converted
Mail Delivery Error - This mail contains unicode characters
Mail Delivery Failed - This mail couldn't be represented
Mail Delivery - This mail couldn't be displayed
The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems.

Attachment: (Part 1)

mail
msg
message
Note
data
(Part 2)

random numbers
nothing
(Part 3)

pif
eml .scr
zip

More info on this worm:
http://vil.nai.com/vil/content/v_101145.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_101145.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

Back to the top