Discovered: March 28, 2006
Updated: March 29, 2006 6:54:22 AM
Also Known As: PE_DETNAT.A [Trend], PE_DETNAT.B [Trend], W32/Detnat.a [McAfee], Detnat.A [Panda Software]
Systems Affected: Windows

W32.Detnat is a virus that searches network shares and infects executable files. It also downloads and executes PWSteal.Lineage (MCID 4130) from predetermined Web sites.

Antivirus Protection Dates

  • Initial Rapid Release version March 28, 2006
  • Latest Rapid Release version March 01, 2011 revision 037
  • Initial Daily Certified version March 28, 2006
  • Latest Daily Certified version March 02, 2011 revision 002
  • Initial Weekly Certified release date March 29, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Kaoru Hayashi

Discovered: March 28, 2006
Updated: March 29, 2006 6:54:22 AM
Also Known As: PE_DETNAT.A [Trend], PE_DETNAT.B [Trend], W32/Detnat.a [McAfee], Detnat.A [Panda Software]
Systems Affected: Windows

W32.Detnat is a virus that searches network shares and infects executable files. It also downloads and executes PWSteal.Lineage (MCID 4130) from predetermined Web sites.

Once executed, it creates the following file:
%System%\voot.sys

The virus then creates the following registry entries to create a service called "delphi":
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\delphi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delphi

The service uses rootkit technology to hide itself from the user.

The virus downloads files from the following Web sites:
http://www.yettz.com/media/image/re.wos
http://www.cinetown.co.kr/mpg/asx/mvp.wos
http://www.cinetown.co.kr/dacom/images/pop.wos

The virus then saves and executes the downloaded files as %System%\netrun[RANDOM NUMBER].exe. These files are variants of PWSteal.Lineage.

The virus drops the original host file in the %Temp% folder and executes it.

The virus then searches local drives and network shares for executable files and infects the files.

Writeup By: Kaoru Hayashi