View my documents ()
 Home > Support > Global Security Advisor 

Virus Detail

Win32.Netmesser.A

Date Published:
1 Feb 2005

Last Updated:
23 Nov 2005

Threat Assessment

Overall Risk:   Very Low
Wild:  Low
Destructiveness:  Medium
Pervasiveness:  None

Characteristics

Type : Trojan

Category : Win32

Also known as:  AdClicker-BM (McAfee), TROJ_NETMESS.A (Trend), Win32/Netmesser.A!Trojan

Immediate Protection Info

 
SignatureProductRemoval Instructions
23.68.00
eTrust Antivirus v7/8* (InoculateIT Engine)
11.x/8861
eTrust Antivirus v7/8* (Vet Engine)
6.1x/6002
eTrust EZ Antivirus 6.1x
6.2x/8861
eTrust EZ Antivirus 6.2x
6.3x/8861
eTrust EZ Antivirus 6.3x
6.4x/8861
eTrust EZ Antivirus 6.4x
7.x/8861
eTrust EZ Antivirus 7.x
10.6x/8861
Vet Anti-Virus 10.6x
 
 
Description
Payload
 

Description

Win32.Netmesser is a family of trojans which overwrite Internet settings associated with dial-up connections. CA has received reports of several variants from the wild, compressed with various packing utilities including UPX, FSG or PECompact, and ranging in size from 9,333 to 15,360 bytes.

Back to top

Payload

Alters DNS Settings

On Windows XP  systems, the trojan alters the file:


%AppData%\Microsoft\Network\Connections\Pbk\rasphone.pbk
 
by changing the following lines:


IpDnsAddress=<Altered DNS>
IpDns2Address=<Altered DNS>


It then enumerates the following registry entry:


HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters


checking for references to dial up adapters. If found, the adapters' DNS servers are changed by altering the value 'NameServer' in the referenced key.


Note: %AppData% is a variable location and refers to the location of the common folder that stores application specific data. The malware determines the location of the current AppData  folder by querying the operating system. A typical location for this folder is C:\Documents and Settings\username\Application Data


On Windows 98 systems the trojan makes the following registry modification:


HKLM\System\CurrentControlSet\Services\VxD\MSTCP\NameServer = <Altered DNS servers>


After the trojan has made the relevant operating system dependent changes, it then runs the command:


"ipconfig /flushdns"


to ensure that the settings will take immediate effect.


A Domain Name Server holds lists of domain names that map to matching IP addresses. Hence, when a user requests a particular domain, say, ca.com, the user's machine queries the DNS, which will return the appropriate numerical, IP address (in this example, say, 155.35.248.73). By redirecting user requests to a DNS server that contains false or incorrect mappings, an attacker can therefore redirect the user to other sites of their choice whenever a user requests a domain that is listed in the DNS. In application, for example, even if a user types the URL of their Internet Banking site into their browser they could be redirected to a spoofed site with a completely different IP address and be unaware of this subterfuge.The altering of DNS servers may also allow for the tracking of sites visited.
 
Computer Associates have seen the following DNS server IPs used by these trojans in the wild:
69.50.166.94
69.50.188.180
69.31.80.244
195.225.176.31


Analysis by Matt McCormack


Back to top

Buy

Buy CA Anti-Virus

Large Enterprise
Small and Medium Business
Home and Home Office

CA Global Security Advisor

Current threat condition: Low
Low
Documents and Tools
Find Threats
Viruses Spyware
Vulnerabilities All

Security Resources

Analyst Reports

Gartner Magic Quadrant for Web Access Management
More

Events

RSA Conference 2010
CA World 2010
More

Insights

On-Demand Webcasts

Operate Lean with CA Compliance Manager for z/OS
Analyst Webcast: Privileged User Access- Gaining Powerful Control of Powerful Users
More

Press

CA Enables Growth of Open Source for the Enterprise
CA Helps Secure Louisiana Rural Health Information Exchange

News

How to Improve Cloud Security in Your Enterprise
Cloud Security: Ten Questions to Ask Before You Jump In
More
 
 
Page Tools
ShareShare