1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. NetSky.A

NetSky.A

ALIAS:I-Worm.Moodown, W32/Netsky.A@mm, Moodown

Summary

Moodown worm was found on 16th of February 2004. Initially it was sent out in numerous seed e-mails. The worm spreads itself in e-mails inside a ZIP archive or as an executable attachment. It also copies itself to shared folders of all available drives. This allows the worm to spread in P2P (peer-to-peer) and local networks.

Disinfection

F-Secure provides the special disinfection utility to eliminate NetSky.A worm infection. You can download this utility from our ftp site:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.exe ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.zip

Disinfection instructions can be found here:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.europe.f-secure.com/tools/f-netsky.jar ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar

Additional Details

Installation to system

When the worm's file is run, it first shows a fake error messagebox:

Error
The file could not be opened!


Then the worm copies itself to Windows directory with SERVICES.EXE name and creates a startup key for this file in System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "service" = "%windir%\services.exe -serv"
where %windir% represents Windows directory. At the same time the worm also attempts to delete the following key values:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Taskmon" "Explorer" "system." "KasperskyAv"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Taskmon" "Explorer"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "system."
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
After that the worm starts looking for e-mail addresses. It scans files with the following extensions on all available drives (c:-z:) except CD-ROM drives:

.msg .oft .sht .dbx .tbb .adb .doc .wab .asp .uin .rtf .vbs .html .htm .pl .php .txt .eml
If the worm finds a folder with the 'sharing' or 'share' name, it copies itself to that folder with the following names:

winxp_crack.exe dolly_buster.jpg.pif strippoker.exe photoshop 9 crack.exe matrix.scr porno.scr angels.pif hardcore porn.jpg.exe office_crack.exe serial.txt.exe cool screensaver.scr eminem - lick my pussy.mp3.pif nero.7.exe virii.scr e-book.archive.doc.exe max payne 2.crack.exe how to hack.doc.exe programming basics.doc.exe e.book.doc.exe win longhorn.doc.exe dictionary.doc.exe rfc compilation.doc.exe sex sex sex sex.doc.exe doom2.doc.pif


Spreading in e-mails

When Internet connection is available, the worm starts to spread itself. It creates ZIP archives with its file in Windows directory. The names of these ZIP archives are the same as the names of worm's files inside:

prod_info_04155.bat prod_info_54234.scr prod_info_42313.pif prod_info_33462.cmd prod_info_49541.exe prod_info_04650.bat prod_info_54739.scr prod_info_42818.pif prod_info_33967.cmd prod_info_49146.exe prod_info_54235.scr prod_info_42314.pif prod_info_54433.doc.exe prod_info_47532.doc.scr prod_info_43631.doc.exe prod_info_56780.doc.exe prod_info_43859.htm.scr prod_info_87968.htm.scr prod_info_34157.htm.exe prod_info_77256.txt.scr prod_info_33325.txt.exe prod_info_56474.txt.exe prod_info_33543.rtf.scr prod_info_65642.rtf.scr prod_info_55761.rtf.exe
The worm spreads itself in e-mails as a ZIP attachment or as an attachment with one of the above shown names. The infected e-mails sent by the worm look like that:

From: EBay Auctions <responder@ebay.com> or Yahoo Auctions <auctions@yahoo.com> or Amazon automail <responder@amazon.com> or MSN Auctions <auctions@msn.com> or QXL Auctions <responder@qxl.com> or Ebay Auctions <responder@ebay.com>
Subject:

Auction successful!
Body:

#----------------- message was sent by automail agent ------------------#
Congratulations!
You were successful in the auction.
Auction ID <random number> Product ID <random number>
A detailed description about the product and the bill are attached to this mail. Please contact the seller immediately
Thank you!
The worm's file is attached to the infected e-mail inside a ZIP archive or as an normal binary file. The following ZIP attachent names are used by the worm:

prod_info_04155.zip prod_info_54234.zip prod_info_42313.zip prod_info_33462.zip prod_info_49541.zip prod_info_04650.zip prod_info_54739.zip prod_info_42818.zip prod_info_33967.zip prod_info_49146.zip prod_info_54235.zip prod_info_42314.zip prod_info_54433.zip prod_info_47532.zip prod_info_43631.zip prod_info_56780.zip prod_info_43859.zip prod_info_87968.zip prod_info_34157.zip prod_info_77256.zip prod_info_33325.zip prod_info_56474.zip prod_info_33543.zip prod_info_65642.zip prod_info_55761.zip
A recipient has to unpack the worm's attachment from a ZIP archive and run it to get infected.



Detection



Detection for Moodown worm is available in the following FSAV updates:

[FSAV_Database_Version]
Version=2004-02-16_02

Technical Details: Alexey Podrezov, February 16th, 2004;

Description updated: Alexey Podrezov, February 26th, 2004;