Alias/es

Detection Availability

Visible Symptoms

• The file "windll2.exe" exists in the %SYSTEM% folder.
• Possible firewall alert indicating that an executable is attempting to connect to the Internet and functioning as a server.
• Compromised systems may be slow to respond due to heavy outbound traffic on TCP port 25 (SMTP email).

Detailed Analysis

• Creates the following named mutexes, which may prevent variants of W32/Netsky from executing:
  
  MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
  'D'r'o'p'p'e'd'S'k'y'N'e't'
  _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
  [SkyNet.cz]SystemsMutex
  AdmSkynetJklS003
  ____--->>>>U<<<<--____
  _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
  
  
• Creates a copy of itself to the %SYSTEM% folder as "windll2.exe" and then register itself to run at each Windows startup by adding the entry:
  
  "erthegdr" = "%SYSTEM%\windll2.exe"
  
  to the following registry subkeys:
  
  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
  
  
• Attempts to delete the following registry entries:
  
  My AV
  Zone Labs Client Ex
  9XHtProtect
  Antivirus
  Special Firewall Service
  service
  Tiny AV
  ICQNet
  HtProtect
  Jammer2nd
  FirewallSvr
  MsInfo
  SysMonXP
  EasyAV
  PandaAVEngine
  Norton Antivirus AV
  KasperskyAVEng
  SkynetsRevenge
  ICQ Net
  
  from the following locations:
  
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
  HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
  
  
• Attempts to delete the following registry entries if the date is after September 22, 2009:
  
  HKCU\Software\ewrt
  HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n, "erthegdr"
  
  
• Attempts to terminate the following processes:
  1t1epad.exe
  t1es1t.exe
  
  
• Attempts to download files from the following URLs:
  
  http: //localhost/sss.php
  http: //localhost/script2.php
  http: //localhost/script3.php
  
  stores them to the location "%SYSTEM%\re_file.exe" and executes.
  
  
• Opens a back door on TCP port 80, which may allow the compromised computer to act as a proxy server.
  
  
• Attempts to download files from the following URLs:
  
  http: //clickhare.com/images/web.php
  http: //amerikansk-bulldog.dk/images/web.php
  http: //eventpeopleforyou.com/help/web.php
  http: //fyeye.com/lyra/web.php
  http: //ligapichangueras.cl/images/web.php
  http: //ekshrine.com/images/web.php
  http: //directeenhuis.nl/images/web.php
  http: //creacionesartisticasandaluzas.com/bovedas/web.php
  
  and store them to the location "%WINDOWS%\eml.exe". The virus harvests email addresses from this file and sends a copy of "W32/Mitglieder.FS!tr" to those addresses.
  
  Avoids sending a copy of itself to email addresses that contain any of the following strings:
  
  @derewrdgrs
  @eerswqe
  @messagelab
  @microsoft
  anyone@
  certific
  contract@
  f-secur
  free-av
  gold-certs@
  google
  icrosoft
  listserv
  nobody@
  noone@
  noreply
  postmaster@
  rating@
  samples
  support
  
  
  Email Propagation
  
  
• Body: One of the followings:
  
  price
  new price
  The password is <image>
  Password: <image>
  
  
  
• Attachment: One of the followings:
  
  price.zip
  price2.zip
  price_new.zip
  price_09.zip
  09_price.zip
  newprice.zip
  new_price.zip
  new__price.zip
  
  

Recommended Action

FortiGate systems:


• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option