Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:27.648 Bytes
MD5 checksum:301b39b3e6aafb7cae5a9d84e1c78cf6

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Netsky.k
   •  Sophos: W32/Netsky-K
   •  Panda: W32/Netsky.K.worm
   •  Eset: Win32/Netsky.K
   •  Bitdefender: Win32.Generic.495186


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\avpguard.exe

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "My AV"="%WINDIR%\avpguard.exe -av serv"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
It uses the Messaging Application Programming Interface (MAPI) in order to send emails. The characteristics are further described:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Subject:
One of the following:
   • Hi %username from receiver's email address%, your product;
      Hello %username from receiver's email address%, your letter;
      Re: Hi %username from receiver's email address%, your archive;
      Re: %username from receiver's email address%, your text; Re:
      Hello %username from receiver's email address%, your bill; Re:
      Hi %username from receiver's email address%, your details; Re:
      Hello %username from receiver's email address%, my details; Re:
      Hi %username from receiver's email address%, your word file;
      Re: Hello %username from receiver's email address%, your excel
      file; Re: Hi %username from receiver's email address%, details;
      Re: Hello %username from receiver's email address%, Approved;
      Re: Hello %username from receiver's email address%, your
      software; Re: Hi %username from receiver's email address%, your
      music; Re: Dear %username from receiver's email address%, Here;
      Re: Re: Re: Hello %username from receiver's email address%,
      your document; Re: Hi %username from receiver's email address%;
      Re: Dear %username from receiver's email address%, Hi; Re: Re:
      Hi %username from receiver's email address%, your message; Re:
      Here %username from receiver's email address%, your picture;
      Re: Hi %username from receiver's email address%, here is the
      document; Re: Hello %username from receiver's email address%,
      your document; Re: %username from receiver's email address%,
      thanks!; Re: Re: %username from receiver's email address%,
      thanks!; Re: Re: Hi %username from receiver's email address%,
      document; Re: Hello %username from receiver's email address%,
      document; www.%character string%.freepage.com, your website; Na
      %username from receiver's email address%; Best %username
      from receiver's email address%; Love %username from receiver's
      email address%; Good morning %username from receiver's email
      address%; Have a good day %username from receiver's email
      address%; Dear %username from receiver's email address%; To
      %username from receiver's email address% , it's me; Welcome
      %username from receiver's email address%; Moin %username
      from receiver's email address%; Hello %username from receiver's
      email address%; Your account %username from receiver's email
      address% is expired!; Hey %username from receiver's email
      address%; Hi %username from receiver's email address%; Hi
      Mr. %username from receiver's email address%; Moi %username
      from receiver's email address%; He %username from receiver's
      email address%; Yours faithfully, %username from receiver's
      email address%; Message to %username from receiver's email
      address%; Hi Mrs. %username from receiver's email address%;
      Is %username from receiver's email address%.doc yours?; Is
      %username from receiver's email address%.xls yours?; Whats up
      %username from receiver's email address%; Hi; Your product;
      Your letter; Re: corrected homework; Re: I've found your document; Re:
      Your bill; Re: hello again; Re: hi again; Re: part 3; Re: important
      document part 2; Re: important; Re: Your data; Re: Your application;
      Re: your music; Re: excel document; Re: Re: Re: word document; Re:
      Your details; Re: My details; Re: Your requested file; Re: Read it
      immediately; Re: Approved; Re: Your software; Re: my memberlist; Re:
      Your document; Re: Your file; Re: Your important document

The body of the email is one of the lines:
   • My details are in the attached file.
   • I have corrected your document.
   • Please do not forget to read the important document.
   • I have an interesting document about you.
   • The sample is attached.
   • Your personal document is attached.
   • Your file is attached to this mail.
   • Note that I have attached your file.
   • The important document is attached.
   • Please read the document. It's important.
   • Your document is attached to this mail.
   • See the attachment for further details.
   • Your file is attached. Use this password for the file: %character string%.
   • Please read the attached file. Password for the file is %character string%.
   • Please have a look at the attached file. Password for decrypting is %character string%.
   • See the attached file for details. Password is %character string%.
   • Here is the file. My password is %character string%.
   • Your document is attached. Your password is %character string%.


Attachment:
The filename of the attachment is one of the following:
   • website_%character string%.pif; your_product_%character
      string%.pif; letter_%character string%.pif;
      archive%character string%.pif; your_text%character
      string%.pif; bill_%character string%.pif;
      your_details%character string%.pif; %character
      string%_details.pif; %character string%_document_word.pif;
      %character string%_document_excel.pif; %character
      string%_my_details.pif; %character
      string%_all_document.pif; %character
      string%_application.pif; mp3music_%character string%.pif;
      yours%character string%.pif; document_%character
      string%4351.pif; %character string%_picture.pif;
      %character string%_file.pif; %character
      string%_message_details.pif; yourpicture%character
      string%.pif; %character string%_document_full.pif;
      %character string%_your_message_part2.pif; %character
      string%information.pif; %character string%document.pif;
      %character string%_your_document.pif

The attachment is a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • .xml; .wsh; .jsp; .dhtm; .cgi; .shtm; .msg; .oft; .sht; .dbx; .tbb;
      .adb; .doc; .wab; .asp; .uin; .rtf; .vbs; .html; .htm; .pl; .php;
      .txt; .eml

 Miscellaneous String:
Furthermore it contains the following strings:
   • Please remove the file avpguard.exe from your Windows-Directory and do not open attachments anymore. It can be a virus like bagle and mydoom or similar malicios code. This is the Skynet-Antivirus!
   • SkyNet has the full control of your system now

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, March 5, 2010
Description updated by Petre Galan on Monday, March 8, 2010

Back . . . .