Aliases

Email-Worm.Win32.NetSky.b (Kaspersky Lab) is also known as: I-Worm.NetSky.b (Kaspersky Lab), W32/Netsky.b@MM (McAfee),   W32.Netsky.gen@mm (Symantec),   Win32.HLLM.Netsky.based (Doctor Web),   W32/Netsky-B (Sophos),   Win32/Netsky.B@mm (RAV),   WORM_NETSKY.GEN (Trend Micro),   Worm/NetSky.B.2 (H+BEDV),   W32/Netsky.B@mm (FRISK),   Win32:Netsky-B (ALWIL),   I-Worm/Netsky.B (Grisoft),   Win32.Netsky.B@mm (SOFTWIN),   Worm.SomeFool.Gen-unp (ClamAV),   W32/Netsky.B.worm (Panda),   Win32/Netsky.B (Eset)

Description added	Feb 18 2004
Behavior	Email Worm

Technical details

(Also known as Moodown.b) This worm spreads via the Internet as a file attached to infected emails. The worm itself is a PE EXE file of approximately 21KB, compressed using UPX. The size of the decompressed file is approximately 40KB.

Installation

The worm copies itself to the Windows directory under the name 'services.exe' and registers this file in the system registry auto-run key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "service" = "%windir%\services.exe -serv"

The worm creates a number of copies of itself in all sub-directories on disks c to Z which contain the word 'share' or 'sharing' in the directory name. The copies will be under names chosen from the following list:

winxp_crack.exe
dolly_buster.jpg.pif
strippoker.exe
photoshop 9 crack.exe
matrix.scr
porno.scr
angels.pif
hardcore porn.jpg.exe
office_crack.exe
serial.txt.exe
cool screensaver.scr
eminem - lick my pussy.mp3.pif
nero.7.exe
virii.scr
e-book.archive.doc.exe
max payne 2.crack.exe
how to hack.doc.exe
programming basics.doc.exe
e.book.doc.exe
win longhorn.doc.exe
dictionary.doc.exe
rfc compilation.doc.exe
sex sex sex sex.doc.exe
doom2.doc.pif

document
msg
doc
talk
message
creditcard
details
attachment
me
stuff
posting
textfile
concert
information
note
bill
swimmingpool
product
topseller
ps
shower
aboutyou
nomoney
found
story
mails
website
friend
jokes
location
final
release
dinner
ranking
object
mail2
part2
disco
party
misc
#n#o#t#n#e#t#s#k#y#-#s#k#y#n#e#t#!

Propagation

Infected messages have message headers and subject text chosen at random from the following list:

Message header:

Hi
hi
hello
read it immediately
something for you
warning
information
stolen
fake
unknown

Message body:

AnythingOk?
anything ok?
what does it mean?
ok
i'm waiting
read the details.
here is the document.
read it immediately!
my hero
here
is that true?
is that your name?
is that your account?
i wait for a reply!
is that from you?
you are a bad writer
I have your password!
something about you!
kill the writer of this document!
i hope it is not true!
your name is wrong
i found this document about you
yes, really?
that is bad
here it is
see you
greetings
stuff about you?
something is going wrong!
information about you
about me
from the chatter
here, the serials
here, the introduction
here, the cheats
that's funny
do you?
reply
take it easy
why?
thats wrong
misc
you earn money
you feel the same
you try to steal
you are bad
something is going wrong
something is fool

Deletion of the Mydoom worm

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

Other