W32/Netsky.X@mm

description-logoAnalysis


Specifics
Virus is 32-bit with a packed file size of 26,112 bytes. The virus contains its own SMTP code to send itself by email. The virus uses some logic to determine the language of body text for recipients - based on suffixes in recipient email addresses [.tc, .se, .fi, .pl, .no, .pt, .it, .fr and .de] the virus may compose emails in localized text. This virus may engage in a DoS attack against three websites.


Load At Windows Startup
If the virus is run, it will write itself to the system and modify the registry to auto run the virus at next Windows startup -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"FirewallSvr" = C:\WINNT\FirewallSvr.exe

The virus runs as a service in memory, and is referenced by the Mutex

"____--->>>>U<<<<--____"


Email Spreading
The virus contains code to send itself as an attachment to an email, to email addresses found on the target computer. The virus will scan the hard drive for email addresses; for each address found, the virus will attempt to use the mail exchange server related to the domain of the email address found. For instance, if the email address is "xyz" at company.com, the virus will run a DNS query for the MX record for "xyz.company.com", then try to send itself as an email attachment.

The virus searches inside files numerous files for what is considered a valid email addresses. The subject line and email body are chosen from a table of choices -

If email suffix .tc -
Subject: Re: belge (or) dokumenten
Body:
mutlu etmek okumak belgili tanimlik belge.
Attachment: .tc.pif

Suffix = .se -
Subject: Re: dokumenten (or) dokumentoida
Body:
Behaga lSsa dokumenten.
Attachment: .se.pif

Suffix = .fi
Subject: Re: dokumentoida (or) udokumentowac
Body:
Haluta kuulua dokumentoida.
Attachment: .fi.pif

Suffix = .pl
Subject: Re: udokumentowac (or) dokumentet
Body:
Podobac sie przeczytac ten udokumentowac.
Attachment: .pl.pif

Suffix = .no
Subject: Re: dokumentet (or) original
Body:
Behage lese dokumentet.
Attachment: .no.pif

Suffix = .pt
Subject: Re: original (or) documento
Body:
Leia por favor o original.
Attachment: .pt.pif

Suffix = .it
Subject: Re: documento
Body:
Legga prego il documento.
Attachment: .it.pif

Suffix = .fr
Subject: dokument
Body:
Veuillez lire le document.
Attachment: .fr.com

Suffix = .de
Subject: Re: dokument
Body:
Bitte lesen Sie das Dokument.
Attachment: .de.pif

All other suffixes-
Subject: document (or) Re: document
Body:
Please read the document.
Attachment: .xx.pif

The "From" field is forged, and the file attachment will be a copy of the virus.
The attachment may be a Base64 encoded copy of the virus. The virus stores a Base64 copy of the virus onto the infected system -

c:\WINNT\fuck_you_bagle.txt - 35,784 bytes - Base64 encoded copy of the virus


Denial Of Service Attack Payload
This virus contains instructions to send GET requests to three servers in order to try to knock the target server offline. These web domains are targets of the virus -

www.educa.ch
www.medinfn.ufl.edu
www.nibis.de

The attack is carried out by the virus using GET requests.


recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Variants of this virus can be blocked by FortiGate; using the FortiGate manager, enable blocking of .PIF & .EXE files using SMTP, POP3 and IMAP services

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2023-11-22 91.09040
2020-11-10 81.73400 Sig Updated
2020-09-02 80.07200 Sig Updated
2019-08-27 71.17600 Sig Updated
2019-07-27 70.28000 Sig Updated
2019-07-23 70.18500 Sig Updated
2019-01-29 65.99600 Sig Updated
2018-12-28 65.22300 Sig Updated
2018-12-28 65.22200 Sig Updated
2018-12-28 65.22000 Sig Updated