Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms

Email-Worm.Win32.NetSky.x

Other versions: .aa, .ac, .b, .c, .d, .e, .m, .o, .q, .r, .t, .y

Aliases
Email-Worm.Win32.NetSky.x (Kaspersky Lab) is also known as: I-Worm.NetSky.x (Kaspersky Lab), W32/Netsky.w.eml!exe (McAfee),   Win32.HLLM.Netsky.based (Doctor Web),   Win32/Netsky.W@mm (RAV),   Worm/Netsky.W.1 (H+BEDV),   W32/Netsky.W@mm (FRISK),   Win32.Netsky.W@mm (SOFTWIN),   W32/Netsky.W.worm (Panda)
Description added Jun 23 2005
Behavior Email Worm
Technical details

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

The worm is activated when the user launches the attached file by clicking on the attachment. The worm will then install itself and start propagating.

The worm itself is a PE EXE file, written in Microsoft Visual C++ and packed using UPX. The packed file is approximately 24KB in size and the unpacked file is approximately 138KB in size.

Installation

The worm copies itself to the Windows root directory under the name "VisualGuard.exe":

%Windir%\VisualGuard.exe

and registers this file in the Windows system registry

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"NetDy" = "%Windir%\VisualGuard.exe"

This ensures that the worm will be run each time Windows is rebooted.

The worm also creates the following files in the Windows root directory:

%Windir%\base64.tmp 
%Windir%\zip1.tmp
%Windir%\zip2.tmp
%Windir%\zip3.tmp
%Windir%\zip4.tmp
%Windir%\zip5.tmp
%Windir%\zip6.tmp
%Windir%\zipped.tmp

The worm creates the unique identifier "NetDy_Mutex_Psycho" to flag its presence in the system.

Propagation via email

The worm harvests addresses by scanning files with the following extensions:

.adb
.asp
.dbx
.cgi
.dhtm
.doc
.eml
.htm
.html
.jsp
.msg
.oft
.php
.pl
.rtf
.sht
.shtm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xml

It uses its own SMTP library to send messages to harvested addresses.

Infected messages

Infected messages have an attachment:

Message subject (chosen at random from the list below):

Re:
approved
my
your
application
bill
corrected
data
details
document
document_all
excel document
file
hello
here
hi
important
improved 
information
letter
message
patched
product
read it immediately
screensaver
text
thanks!
website
word document

Message body (chosen at random from the list below):

Authentication required.
I have attached your document.
I have received your document. The corrected document is attached.
Please confirm the document.
Please read the attached file.
Please see the attached file for details.
Please read the document.
Please read the important document.
Requested file.
See the file.
Your details.
Your document is attached to this mail.
Your document is attached.
Your document.
Your file is attached.

Message signature:

No virus found
Powered by the new Norton OnlineScan
Get protected: www.symantec.com

Attachment name (chosen at random from the list below):

application
approved
bill
data
details
document
document_all
excel document
file
important
improved 
information
letter
message
product
screensaver
text
website
word document

The attachment may have one of the following extensions:

exe
pif
scr
zip

Other

The worm will delete the following registry values (if found) 

Explorer
msgsvr32
Sentry
service
system
Taskmon
DELETE ME

from

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

It also deletes the following values:

Taskmon
Explorer
d3dupdate.exe
au.exe
gouday.exe
rate.exe
sysmon.exe
srate.exe
ssate.exe
OLE
PINF

from

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Netsky.x also deletes the following registry keys:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"System" 
[HKLM\System\CurrentControlSet\Services]
"WksPatch"

These registry keys and values relate to other email worms (some versions of Email-Worm.Win32.Bagle and Email-Worm.Win32. Mydoom).

Email-Worm.Win32.NetSky.x contains the following text strings:

<*>NetDy: Thanks to the SkyNet alias NetSky crew for the sourcecode.
<*>NetDy: We have rewritten NetSky.
<*>NetDy: Thats a good tactic to detroy the bagle and mydoom worms.
<*>NetDy: Our group will continue the war.
<*>NetDy: Malware writers 'End' comes true.
<*>NetDy: Our Social Engineering is the best *lol* (You have no virus
symantec says!).
<*>NetDy: ----------------------------------------------------------------------------
<*>NetDy: We are greeting all russia people!
USA SUCKS!!! AFGHAN SUCKS 2!!! BURN, SADDAM! BURN IN HELL! AND YOU,
OSAMA BIN LADEN,
BURN IN THE DEVILS FIRE 2!!!
SHAME ON YOU MR. BUSH!!!
 		 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com