W32.Netsky.AN@mm

[TJ]

W32.Netsky.AN@mm is a mass-mailing worm which also spreads through shared network folders.

When W32.Netsky.AN@mm is executed, it performs the following actions:

   1. Copies itself as the following file:

      %Windir%\McAffeAv.exe

      Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

   2. Creates the following mutex so that only one instance of the worm runs on the compromised computer:

      -=VXBRASIL=-SAMPA-2005!

   3. Adds the value:

      "McAfee" = "%Windir%\McAffeAv.exe -AntViru"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that it runs every time Windows starts.

   4. Deletes the following registry values to prevent other risks or threats from running on the compromised computer:

      HEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Taskmon"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Taskmon"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Explorer"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Explorer"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"KasperskyAv"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"KasperskyAv"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"system."
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"system."
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"msgsvr32"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"DELETE ME"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"d3dupdate.exe"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"au.exe"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Service"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"OLE"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Sentry"
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
      \Run\"Windows Services Host"
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
      \Run\"Windows Services Host"

   5. Deletes the following registry subkeys to prevent other risks or threats from running on the compromised computer:

      HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch

   6. Searches drives from C to Y and copies itself as the following file names to folders on these drives containing the string "shar" in the folder name:

          * 1000 Sex and more.rtf.exe
          * 3D Studio Max 3dsmax.exe
          * ACDSee 9.exe
          * Adobe Photoshop 9 full.exe
          * Adobe Premiere 9.exe
          * Ahead Nero 7.exe
          * Best Matrix Screensaver.scr
          * Clone DVD 5.exe
          * Cracks & Warez Archive.exe
          * Dark Angels.pif
          * Dictionary English - France.doc.exe
          * DivX 7.0 final.exe
          * Doom 3 Beta.exe
          * E-Book Archive.rtf.exe
          * Full album.mp3.pif
          * Gimp 1.5 Full with Key.exe
          * How to hack.doc.exe
          * IE58.1 full setup.exe
          * Keygen 4 all appz.exe
          * Learn Programming.doc.exe
          * Lightwave SE Update.exe
          * Magix Video Deluxe 4.exe
          * Microsoft Office 2003 Crack.exe
          * Microsoft WinXP Crack.exe
          * MS Service Pack 5.exe
          * Norton Antivirus 2004.exe
          * Opera.exe
          * Partitionsmagic 9.0.exe
          * Porno Screensaver.scr
          * RFC Basics Full Edition.doc.exe
          * Screensaver.scr
          * Serials.txt.exe
          * Smashing the stack.rtf.exe
          * Star Office 8.exe
          * Teen Porn 16.jpg.pif
          * The Sims 3 crack.exe
          * Ulead Keygen.exe
          * Virii Sourcecode.scr
          * Visual Studio Net Crack.exe
          * Win Longhorn Beta.exe
          * WinAmp 12 full.exe
          * Windows Sourcecode.doc.exe
          * WinXP eBook.doc.exe
          * XXX hardcore pic.jpg.exe

   7. Gathers email addresses from files with the following extensions, found on drives from C though Y, excluding CD-ROM drives:

          * .adb
          * .asp
          * .cgi
          * .dbx
          * .dhtm
          * .doc
          * .eml
          * .htm
          * .html
          * .msg
          * .oft
          * .php
          * .pl
          * .rtf
          * .sht
          * .shtm
          * .tbb
          * .txt
          * .uin
          * .vbs
          * .wab

   8. Queries the local DNS server or any of the DNS servers below for yahoo.com. When the worm finds a match for yahoo.com, it will use that domain as an SMTP server:

          * 62.155.255.16
          * 145.253.2.171
          * 151.189.13.35
          * 193.141.40.42
          * 193.189.244.205
          * 193.193.144.12
          * 193.193.158.10
          * 194.25.2.129
          * 194.25.2.130
          * 194.25.2.131
          * 194.25.2.132
          * 194.25.2.133
          * 194.25.2.134
          * 195.185.185.195
          * 195.20.224.234
          * 212.7.128.162
          * 212.7.128.165
          * 212.44.160.8
          * 212.185.252.136
          * 212.185.252.73
          * 212.185.253.70
          * 213.191.74.19
          * 217.5.97.137

   9. Sends a copy of itself as an email attachment to the email addresses gathered.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.an@mm.html


To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "McAfee" = "%Windir%\McAffeAv.exe -AntViru"

   6. Exit the Registry Editor.