W32/Netsky.X@mm
Analysis
Specifics
Virus is 32-bit with a packed file size of 26,112 bytes.
The virus contains its own SMTP code to send itself
by email. The virus uses some logic to determine the
language of body text for recipients - based on suffixes
in recipient email addresses [.tc, .se, .fi, .pl, .no,
.pt, .it, .fr and .de] the virus may compose emails
in localized text. This virus may engage in a DoS attack
against three websites.
Load At Windows Startup
If the virus is run, it will write itself to the system
and modify the registry to auto run the virus at next
Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"FirewallSvr" = C:\WINNT\FirewallSvr.exe
The virus runs as a service in memory, and is referenced by the Mutex
"____--->>>>U<<<<--____"
Email Spreading
The virus contains code to send itself as an attachment
to an email, to email addresses found on the target
computer. The virus will scan the hard drive for email
addresses; for each address found, the virus will attempt
to use the mail exchange server related to the domain
of the email address found. For instance, if the email
address is "xyz" at company.com, the virus
will run a DNS query for the MX record for "xyz.company.com",
then try to send itself as an email attachment.
The virus searches inside files numerous files for what is considered a valid email addresses. The subject line and email body are chosen from a table of choices -
If email suffix .tc -
Subject: Re: belge (or) dokumenten
Body:
mutlu etmek okumak belgili tanimlik belge.
Attachment: .tc.pif
Suffix = .se -
Subject: Re: dokumenten (or) dokumentoida
Body:
Behaga lSsa dokumenten.
Attachment: .se.pif
Suffix = .fi
Subject: Re: dokumentoida (or) udokumentowac
Body:
Haluta kuulua dokumentoida.
Attachment: .fi.pif
Suffix = .pl
Subject: Re: udokumentowac (or) dokumentet
Body:
Podobac sie przeczytac ten udokumentowac.
Attachment: .pl.pif
Suffix = .no
Subject: Re: dokumentet (or) original
Body:
Behage lese dokumentet.
Attachment: .no.pif
Suffix = .pt
Subject: Re: original (or) documento
Body:
Leia por favor o original.
Attachment: .pt.pif
Suffix = .it
Subject: Re: documento
Body:
Legga prego il documento.
Attachment: .it.pif
Suffix = .fr
Subject: dokument
Body:
Veuillez lire le document.
Attachment: .fr.com
Suffix = .de
Subject: Re: dokument
Body:
Bitte lesen Sie das Dokument.
Attachment: .de.pif
All other suffixes-
Subject: document (or) Re: document
Body:
Please read the document.
Attachment: .xx.pif
The "From" field is forged, and the file
attachment will be a copy of the virus.
The attachment may be a Base64 encoded copy of the virus.
The virus stores a Base64 copy of the virus onto the
infected system -
c:\WINNT\fuck_you_bagle.txt - 35,784 bytes - Base64 encoded copy of the virus
Denial Of Service Attack Payload
This virus contains instructions to send GET requests
to three servers in order to try to knock the target
server offline. These web domains are targets of the
virus -
www.educa.ch
www.medinfn.ufl.edu
www.nibis.de
The attack is carried out by the virus using GET requests.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Variants of this virus can be blocked by FortiGate; using the FortiGate manager, enable blocking of .PIF & .EXE files using SMTP, POP3 and IMAP services
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2023-11-22 | 91.09040 | |
2020-11-10 | 81.73400 | Sig Updated |
2020-09-02 | 80.07200 | Sig Updated |
2019-08-27 | 71.17600 | Sig Updated |
2019-07-27 | 70.28000 | Sig Updated |
2019-07-23 | 70.18500 | Sig Updated |
2019-01-29 | 65.99600 | Sig Updated |
2018-12-28 | 65.22300 | Sig Updated |
2018-12-28 | 65.22200 | Sig Updated |
2018-12-28 | 65.22000 | Sig Updated |