F-Secure Virus Descriptions : NetSky.AF

[Summary] | [Detailed Description] | [Detection]

NAME:	NetSky.AF
ALIAS:	WORM_NETSKY.AF, I-Worm.NetSky.b, W32/Netsky.ag@MM, W32.Netsky.AD@mm
VARIANT:
SIZE:

Summary

NetSky.AF spreads itself in e-mails inside a ZIP archive or as an executable attachment. It also copies itself to shared folders of all available drives. This allows the worm to spread in peer-to-peer and local networks. It is related to NetSky.B.

Detailed Description

NetSky.AF arrives as e-mail attachment. When run, it displays a message box with title "Fail" and message "File Corrupted replace this!!" and OK button. It then copies itself to %WinDir% directory under the name MsnMsgrs.exe and adds RUN key to ensure the worm is started after reboot.

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MsnMsgr"
    %WinDir%\MsnMsgrs.exe -alev

%WinDir% represents WINDOWS directory.

NetSky.AF then searches local drives for e-mail addresses. Files with following extensions are scanned for e-mail addresses:

 .SCS
 .oft
 .sht
 .dbx
 .tbb
 .adb
 .doc
 .wab
 .asp
 .uin
 .rtf
 .vbs
 .html
 .htm
 .pl
 .php
 .txt
 .eml

If the worm finds folder with the 'sharing' or 'share' in its name it will copy itself there under the following names:

 aninha gatinha!.zip.scr
 barrio.scr
 cafe!!.zip.scr
 Canaval2004!.jpg.pif
 Carnaval em Salvador!!.zip.scr
 caspa.scr
 celulares!!.zip.scr
 clica ai logo meu.scr
 comoserrico!.zip.scr
 importante!!!!!.zip.scr
 minhavida!.zip.exe
 MulataDandoOcujpg.scr
 multas.pif
 paula!.scr
 puteiros!!.scr
 receitas de bolo!!.zip.scr
 rede globo tv!.zip.scr
 ResidentEvil2.zip.scr
 rocha.scr
 traficoemSP!.scr
 vadias peladas!!.scr
 vida!!.zip.scr
 VivaNaBaia!.scr
 vota!.zip.scr

NetSky.AF also creates ZIP files under %WinDir% with the following names

 agua!.zip
 aqui.zip
 banco!.zip
 bingos!.zip
 carros!.zip
 circular.zip
 contas!!.zip
 criancas!.zip
 dinheiro!!.zip
 docs.zip
 email.zip
 festa!!.zip
 flipe.zip
 grana!!.zip
 impressao!!.zip
 jogo!.zip
 lantrocidade.zip
 loterias.zip
 lulao!.zip
 revista.zip
 sampa!!.zip
 sorteado!!.zip
 tetas.zip
 vaca.zip
 vadias!.zip
 vips!.zip

If internet connection is available, NetSky.AF uses own SMTP engine to send out infected e-mail messages.

The attached files are chosen from the list above. The sender e-mail address is spoofed and will be one of the collected addresses. The subject is one of the following:

 0123456789
 AninhaPutinha +55operado6992292246
 vaca
 tetas
 war3!
 AIDS!
 grana
 banco!
 revista
 lulao!
 imposto
 jogo!
 loterias
 vips!
 missao
 vadias!
 email
 flipe
 botao
 sampa!!
 contas!!
 zerado
 :(
 criancas!
 brasil!
 lantrocidade
 aqui
 docs
 festa!!
 LINUSTOR
 bingos!
 agua!
 :D
 sorteado!!
 grana!!
 dinheiro!!
 carros!
 voce
 :-)
 ???
 circular
 agradou
 diga
 robos!
 impressao!!
 massas!
 pescaria por kilo
 Sua saude esta bem?
 morto
 :)

And the message body will be one of the following

 me veja peladinha
 gostaria disso e voce???
 algo a mais
 falea verdade!!!
 ganhe muita grana
 campanhadafome
 pq nao me liga??
 sinto voce!!
 grana
 Lembra?
 amor me liga
 Hackers do Brasil
 Medical Labs Exames!!!
 meutelefone liga
 ferias nos E.U.A
 Surto :(
 Vacina contra o HIV!!
 sua conta bancaria zerada
 olha que isso!!!
 parabens!
 te amo!
 Policia SP
 Sua Conta!!
 Boleto Pague
 veja o que tem no zip e me liga
 receitas de bolo!!
 acrdito que em voce!!!
 promocao de viajens de fim de ano
 tudo sobre voce sabe
 Proposta de emprego!!
 estou doente veja!!!
 me diz o queacha?
 retorna logo isso!!
 arquivo zipado PGP???
 voce passou :D!!!
 ve ai logo ta
 AMA!
 AmaVoce
 Abra rapido isso!!!!
 reza de sao tome!!!!
 veja detalhes!!!
 encontro voce!
 preenche ai ta bom
 PizzaVeneza!

Back to the Top

Detection

F-Secure AntiVirus detects NetSky.AF under the name I-Worm.NetSky.b

[FSAV_Database_Version]

Version=2004-10-13_03

Back to the Top

Write-up: Tzvetan Chaliavski, October 13th, 2004;

Description Updated: Tzvetan Chaliavski, October 14th, 2004;

F-Secure Corporation