# W32/[email protected]!zip Virus



## AppleDude

Looks like Netsky is lurking about again. I received several e-mails today with the W32/[email protected]!zip Virus(es) in them. Fortunately my Mcafee Virus Scan picked them up! It's the anniversary of the virus, so somebody must be celebrating!


----------



## norin

and what exactly does this virus do to a computer? and for those of us who use AVG will it pick up on this?


----------



## AppleDude

A new variant of W32/[email protected] spreads through email like its predecessors. The main component is 29,568 bytes long, FSG packed.

When run, the worm copies itself to the Windows directory as:

FVProtect.exe 
It creates the following files in the same directory:

userconfig9x.dll (26,624) 
base64.tmp (UUEncoded worm) 
zip1.tmp (UUEncoded of worm zip archive) 
zip2.tmp (UUEncoded of worm zip archive) 
zip3.tmp (UUEncoded of worm zip archive) 
zipped.tmp (worm in zip archive) 
Where the three zip archives are different in binary.

The following registry keys are created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Norton Antivirus AV" = %WinDir%\FVProtect.exe 
Where %WinDir% is the Windows directory.

Mail Propagation 

The worm sends mails using SMTP. Email sent has the following characteristics:

From: (forged address taken from infected system)
Subject: (Taken from the following list) 

Stolen document 
Re:Hello 
Mail Delivery ( failure sender address ) 
Private document 
Re:Notify 
Re:document 
Re:Extended Mail System 
Reroctected Mail System 
Re:Question 
Private document 
Postcard 

Body: (Taken from the following list) 


I found this document about you. 
I have attached it to this mail. 
Waiting for authentification. 
Please confirm! 
Protected message is available 
Do not visit this illegal websites! 
Here is my phone number. 
I cannot believe that. 
Your file is attached. 
For further details see that attachment. 
Congratulations!, your best friend. 
Greetings from france, your friend. 
If the message will not displayed automatically, follow the link to read the delivered message.
Received message is available at:
(forged web link. ) 
The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems.

Attachment: (one of the following) 

websites(random number).zip 
document(random number).zip 
your_document.zip 
part(random number).zip 
message.doc.scr 
message.zip 
document.zip 
old_photos.txt.pif 
postcard_.(random number)..zip 
details(random number).zip 
Where .zip file is the worm in a zip file. 

The mailing component harvests address from the local system. Files with the following extensions are targeted: 

.xml 
.wsh 
.jsp 
.msg 
.oft 
.sht 
.dbx 
.tbb 
.adb 
.dhtm 
.cgi 
.shtm 
.uin 
.rtf 
.vbs 
.doc 
.wab 
.asp 
.php 
.txt 
.eml 
.html 
.htm 
.pl 
The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message. 

The virus will not mail itself to email addresses containing the following strings:

[email protected] 
[email protected] 
[email protected] 
@viruslis 
ntivir 
@sophos 
@freeav 
@pandasof 
@skynet 
@messagel 
[email protected] 
@fbi 
@norton 
@f-pro 
@kaspersky 
@mcafee 
@norman 
@bitdefender 
@f-secur 
@avp 
@spam 
@symantec 
@antivi 
@microsof 
P2P Propagation 

The worm searches directories with the following strings:

shared files 
kazaa 
mule 
donkey 
morpheus 
lime 
bear 
icq 
shar 
upload 
http 
htdocs 
ftp 
download 
my shared folder 
It copies itself to these directories using the following file names:

1001 Sex and more.rtf.exe 
3D Studio Max 6 3dsmax.exe 
ACDSee 10.exe 
Adobe Photoshop 10 crack.exe 
Adobe Photoshop 10 full.exe 
Adobe Premiere 10.exe 
Ahead Nero 8.exe 
Altkins Diet.doc.exe 
American Idol.doc.exe 
Arnold Schwarzenegger.jpg.exe 
Best Matrix Screensaver new.scr 
Britney sex xxx.jpg.exe 
Britney Spears and Eminem porn.jpg.exe 
Britney Spears blowjob.jpg.exe 
Britney Spears cumshot.jpg.exe 
Britney Spears ****.jpg.exe 
Britney Spears full album.mp3.exe 
Britney Spears porn.jpg.exe 
Britney Spears Sexy archive.doc.exe 
Britney Spears Song text archive.doc.exe 
Britney Spears.jpg.exe 
Britney Spears.mp3.exe 
Clone DVD 6.exe 
Cloning.doc.exe 
Cracks & Warez Archiv.exe 
Dark Angels new.pif 
Dictionary English 2004 - France.doc.exe 
DivX 8.0 final.exe 
Doom 3 release 2.exe 
E-Book Archive2.rtf.exe 
Eminem blowjob.jpg.exe 
Eminem full album.mp3.exe 
Eminem Poster.jpg.exe 
Eminem sex xxx.jpg.exe 
Eminem Sexy archive.doc.exe 
Eminem Song text archive.doc.exe 
Eminem Spears porn.jpg.exe 
Eminem.mp3.exe 
Full album all.mp3.pif 
Gimp 1.8 Full with Key.exe 
Harry Potter 1-6 book.txt.exe 
Harry Potter 5.mpg.exe 
Harry Potter all e.book.doc.exe 
Harry Potter e book.doc.exe 
Harry Potter game.exe 
Harry Potter.doc.exe 
How to hack new.doc.exe 
Internet Explorer 9 setup.exe 
Kazaa Lite 4.0 new.exe 
Kazaa new.exe 
Keygen 4 all new.exe 
Learn Programming 2004.doc.exe 
Lightwave 9 Update.exe 
Magix Video Deluxe 5 beta.exe 
Matrix.mpg.exe 
Microsoft Office 2003 Crack best.exe 
Microsoft WinXP Crack full.exe 
MS Service Pack 6.exe 
netsky source code.scr 
Norton Antivirus 2005 beta.exe 
Opera 11.exe 
Partitionsmagic 10 beta.exe 
Porno Screensaver britney.scr 
RFC compilation.doc.exe 
Ringtones.doc.exe 
Ringtones.mp3.exe 
Saddam Hussein.jpg.exe 
Screensaver2.scr 
Serials edition.txt.exe 
Smashing the stack full.rtf.exe 
Star Office 9.exe 
Teen Porn 15.jpg.pif 
The Sims 4 beta.exe 
Ulead Keygen 2004.exe 
Visual Studio Net Crack all.exe 
Win Longhorn re.exe 
WinAmp 13 full.exe 
Windows 2000 Sourcecode.doc.exe 
Windows 2003 crack.exe 
Windows XP crack.exe 
WinXP eBook newest.doc.exe 
XXX hardcore pics.jpg.exe 



Symptoms 
Existence of the registry key and files mentioned above. 
Top of Page 

Method Of Infection 
The worm spreads by SMTP mail and P2P network. 
Top of Page 

Removal Instructions 
All Users 
Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used. 

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). 

Stinger
Stinger has been updated to assist in detecting and repairing this threat. 

Manual Removal Instructions 
To remove this virus "by hand", follow these steps: 

Terminate the FVPROTECT.EXE process using Windows Task Manager. 
Delete the following files from your Windows directory (typically c:\windows or c:\winnt): 
FVPROTECT.EXE 
USERCONFIG9X.DLL 
BASE64.TMP 
ZIP1.TMP 
ZIP2.TMP 
ZIP3.TMP 
ZIPPED.TMP 
Delete the many copies of the worm dropped on the victim machine, with the enticing filenames as described above.

Edit the registry 
Delete the "Norton Antivirus AV" value from 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run 
Reboot the system 
Additional Windows ME/XP removal considerations 

McAfee Threatscan 
ThreatScan signatures that can detect the W32/[email protected] virus are available from: 

Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt 
Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt 
ThreatScan Signature version: 2004-03-22
ThreatScan users can detect the virus by running a ThreatScan task using the following settings: 

Select the "Remote Infection Detection" category and "Windows Virus Checks" template. 
-or- 

Select the "Other" category and "Scan All Vulnerabilities" template. 
For additional information: 
Run the "ThreatScan Template Report" 
Look for module number #4066 

Sniffer Distributed, Sniffer Portable and Netasyst Capture Recommendation: 

Due to changing offset for Subject, Mail From, and attachments in the emails sent by this virus, and as it is not a network-aware worm, we cannot create a Sniffer filter for this virus. 

Recommendation: 

Create a capture profile with Capture on only SMTP traffic. 
Analyze the traffic for Subject, Mail To, and Attachments in the Decode mentioned in http://vil.nai.com/vil/content/v_101119.htm to identify if there is a virus propagating from specific IP's. 



Aliases 
Name 
[email protected] (Symantec) 
WORM_NETSKY.P (Trend)


----------



## norin

from what i gather it looks like it makes the registry think that Norton antivirus's target file is the FVPROTECT file name. there for starts up when windows does, there fore begins again.

how easy is this to spot? and if one is indeed infected. how will they know? saying if they do not have this info which you have provided. will the AV program as updated as it can be will it find this?


----------



## AppleDude

Since I use McAfee's On-line Virus Scan the virus got picked up before it ever hit my PC by McAfee and quarantined. I use McAfee because their updates are automatic and I have never picked up a virus in over 2 years. If your AV program is updated automatically, it should pick it up and you should have nothing to worry about. This type of virus is one resaon why I do not use nor recommend Norton Anti-Virus. It has too many shortcomings. If you follow the posted info from my earlier post, you can check in several places to see if you may have the virus or run Hijack if you have it. Post your results to the Hijack section of the forum and have one of the guys check it out for you. I am no Hijack expert, so I would not attempt to analyze it for you. Since I have never had a virus, trojan, ad-ware, or spyware, I have had no call to use it. For this type of protection, I use:

McAfee Vurus Scan
McAfee Firewall (Including Lynksys router firewall and Direcway 6000 firewall)
Spybot
Spy Sweeper
Spyware Blaster

These have served me well as they have all been kept up to date.


----------



## norin

the only thing i am worried about is i don't use aol or SMTP for email. i use yahoo and hackernetwork both have their own virus apps i believe. atleast it uses it for uploads i am not sure if they scan incoming files. i believe hackernetwork does.


----------

