Everhart,Glenn
From:	Keith Ray [Keith-Ray@TAMU.EDU]
Sent:	Tuesday, February 10, 1998 12:16 AM
To:	NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject:	Virus Alert: Win32 "NET.666" VIRUS
INFECTION REPORT ON Win32 "NET.666" VIRUS

by Keith Ray and Anthony Peluso

This text, and the associated files can be found
at http://nonlethal.ml.org/net.666/


*DISCOVERY:

Initially Discovered and Analyzed 2/8/98 by Keith
Ray and Anthony Peluso.

        The "NET.666" virus was found, in the wild,
as an infected copy of Netscape Navigator
(standalone) 4.04 for Windows 95 (128bit Encrypt),
however it is most likely this is not the root source.

        This is an especially unusual virus due to
the fact that it is Win32 based, and specifically
targets Windows95 and WindowsNT machines.



*OBSERVED SYMPTOMS


1) Inability to close Windows 95/NT properly because
of a process called 6.666.  If the User calls a process
list with CTRL-ALT-DEL, he/she will see one of three
processes running: Winipx, Winipxa, or Winsrvc.  These
are activated by the virus and are the cause of the
hang.


2) Inability to open text files associated with notepad
from explorer.  Instead, a blank template of a text
file is opened.  This is caused by the virus replacing
NOTEPAD.EXE with an infected copy.  The original
notepad will be backed up to NOTEPADX.EXE.  This
infected copy of NOTEPAD will drop and activate copies
of WINIPX.EXE in its current directory (usually
C:\WINDOWS).


3) The appearance of WINIPX.EXE, WINIPXA.EXE,
WINSRVC.EXE in the Windows Directory.  These are the
files responsible for the incomplete shutdowns and
possible explorer crashes associated with this virus.
They run as normal processes, and can be shut down
with a normal process list End Task.  These files are
all 59,904 bytes long, and will re-activate each other
as they are shut down.  These files are identifiable
by their seemingly damaged small notepad icons which
are grey and green, instead of blue and black.  NOTE:
the large icon will appear to be a normal notepad icon.


4) The appearance of infected file NOTEPADX.EXE in the
Windows directory (as discussed above).   This is a
working backup of notepad.exe created as NOTEPAD.EXE
is replaced.  The replaced version is a virus infected
file of size 94,308 bytes.  By looking at the actual
program for notepad, we see that it has been infected
by one of the files above, and the difference in size
is 60,004 (100 bytes bigger than WINIPX.EXE). This new
NOTEPAD.EXE is also identifiable by the modified small
notepad icon.


5) The appearance EXPLORE.EXE in the
WINDOWS/START MENU/PROGRAMS/STARTUP directory.  This
appeared later after many attacks.  It is also
identifiable by the modified notepad icon, and the
file size (59,904 bytes).  This is used to ensure that
some version of the virus is loaded at all times.


6) The appearance of Registry Keys listed below.


In Win95:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

WINIPX    "C:\WINDOWS\WINIPX.EXE"


In WinNT:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Shell = Explorer.exe,WINIPX.EXE


7) Difficulty in installation.  During the installation
of some programs, they are infected with the virus,
and when run, hang and drop WINIPX.EXE into the Windows

directory, and modify the keys listed above.


8) Open listen socket on port 531.  It is unknown at
this time why it opens a socket at port 531, but it
happens rarely.  When a telnet session was opened to
it, the program closed the socket.  This could be used
to transmit passwords or other information to a
currently unknown internet address.  A log of this can
be found at

http://nonlethal.ml.org/net.666/virsock.txt


*RECOMMENDATIONS FOR AVOIDANCE AND REMOVAL

        NORMAL VIRUS SCANNERS WILL NOT DETECT THIS VIRUS.
It uses calls associated mostly with batch files and
normal day-to-day operation.  Neither Norton or McAfee
with their latest definition files could find it.

        The initial copy of Netscape that was infected
had a notepad icon instead of the usual one.  This was
at first thought to be an error in explorer.  A good way
to avoid this virus would be to make sure you never
install executables with such icons.

        To remove this virus, you must delete the
infected files, virus files, and registry keys
associated with the virus.  A good way to find the
files is to go to Find Files on the start menu and use
advanced search.  Input the search to look for all
files above 58k containing the string WINIPX.  A few
files may pop up, including the virus files listed above.
The best thing to do is just delete them, and look to
see if they were backed up in the same format as notepad
was above (ShellIconCache is deletable).  Then using
Regedit, search on WINIPX, and delete that entry.
Restarting the computer should complete the cleaning.

---------------------------------------------------------

By Keith Ray (keith-ray@tamu.edu)
and Anthony Peluso (deviant@tamu.edu)