W32/Netsky.Q@mm
Analysis
Specifics
Virus is 32 bit with a packed file size of 28,008 bytes,
and is a variant of W32/Netsky.P-mm. The virus contains
its own SMTP code to send itself by email. This virus
uses a combination of multiple subject line and body
text possibilities, and implements a known exploit to
automatically launch attached executables within email
messages. The virus also encrypts a majority of its
code. The virus contains a denial of service attack
which targets these web sites -
www.edonkey2000.com
www.kazaa.com
www.emule-project.net
www.cracks.am
www.cracks.st
Load At Windows Startup
If the virus is run, it will write itself to the system
and modify the registry to auto run the virus at next
Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"SysMonXP" = C:\WINNT\SysMonXP.exe
The virus may write itself to the Windows folder as several names -
c:\WINNT\base64.tmp - Base64 encoded copy of virus
c:\WINNT\zipo0.txt - Base64 encoded copy of virus
c:\WINNT\zipo1.txt - Base64 encoded copy of virus
c:\WINNT\zipo2.txt - Base64 encoded copy of virus
c:\WINNT\zipo3.txt - Base64 encoded copy of virus
c:\WINNT\zippedbase64.tmp - Base64 encoded copy of the
virus
c:\WINNT\sysmonxp.exe - 28,008 bytes - copy of virus
c:\WINNT\firewalllogger.txt - 23,040 bytes - virus component
While memory resident as a process, the virus is referenced by this Mutex name -
-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
Email Spreading
The virus contains code to send itself as an attachment
to an email, to email addresses found on the target
computer. The virus will scan the hard drive for email
addresses; for each address found, the virus will attempt
to use the mail exchange server related to the domain
of the email address found. For instance, if the email
address is "xyz" at company.com, the virus
will run a DNS query for the MX record for "xyz.company.com",
then try to send itself as an email attachment.
The virus will avoid selecting email addresses which have any of these strings in it's domain name or prefix -
@antivi
@avp
@bitdefender
@fbi
@f-pro
@freeav
@f-secur
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@skynet
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam@
The email may be in a format which exploits a vulnerability in the MIME format of the email to cause attachments to automatically launch and execute. The virus searches inside files with these extensions for what is considered a valid email address -
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml
The subject line is chosen at random from a table of possibilities; below is a short list of the actual table -
Delivery Bot
Server Error
Deliver Mail
Delivery Failed
Unknown Exception
Failed
Failure
Status
Error
Delivered Message
Mail System
Mail Delivery System
Mail Delivery failure
Delivery
Delivery Failure
Delivery Error
The email body text is chosen at random from another table of possibilities and includes some of these -
Note: Received message has been sent as a binary file.
Modified message has been sent as a binary attachment.
Received message has been sent as an encoded attachment.
Translated message has been attached.
Message has been sent as a binary attachment.
Received message has been attached.
Partial message is available and has been sent as a
binary attachment.
The message has been sent as a binary attachment.
Delivery Agent - Translation failed
Delivery Failure - Invalid mail specification
Mail Delivery Failure - This mail couldn't be shown.
Mail Delivery System - This mail contains binary characters
Mail Transaction Failed - This mail couldn't be converted
Mail Delivery Error - This mail contains unicode characters
Mail Delivery Failed - This mail couldn't be represented
The "From" field is forged, and the file attachment
will be a copy of the virus.
The attachment may be a Base64 encoded copy of the virus.
The virus stores Base64 copies of the virus onto the
infected system as these file names -
c:\WINNT\zipo0.txt - Base64 encoded copy of virus
c:\WINNT\zipo1.txt - Base64 encoded copy of virus
c:\WINNT\zipo2.txt - Base64 encoded copy of virus
c:\WINNT\zipo3.txt - Base64 encoded copy of virus
c:\WINNT\zippedbase64.tmp - Base64 encoded copy of the
virus
The virus then attaches one of the .TMP file as a file name with a .SCR or .PIF extension. The attached file could also be a .ZIP file - the name is chosen from a table of possible names such as these -
data
mail
msg
message
P2P/Cracks Website DoS Payload
The virus contains a DoS attack routine which targets
these web sites -
www.edonkey2000.com
www.kazaa.com
www.emule-project.net
www.cracks.am
www.cracks.st
The virus sends a simple GET request in rapid succession in an attempt to cause a DoS condition against the target.
Bagle/MyDoom Virus Clean-up
This virus removes registry keys associated with the
W32/MyDoom and W32/Bagle viruses. The virus terminates
threads matching specific strings, and deletes keys
which are known to be related to the MyDoom and Bagle
family of viruses.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- This virus can be blocked by FortiGate; using the FortiGate manager, enable blocking of .EXE, .PIF, .SCR and .ZIP files using SMTP, POP3 and IMAP services
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2020-11-10 | 81.73400 | Sig Updated |
2020-10-20 | 81.23000 | Sig Updated |
2020-10-13 | 81.06700 | Sig Updated |
2020-09-02 | 80.07200 | Sig Updated |
2020-08-21 | 79.78600 | Sig Updated |
2020-08-21 | 79.78500 | Sig Updated |
2020-08-21 | 79.78300 | Sig Updated |
2020-08-20 | 79.77600 | Sig Updated |
2020-08-20 | 79.77500 | Sig Updated |
2020-08-20 | 79.77300 | Sig Updated |