F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : NetSky.B

[Summary] | [Disinfection] | [Detailed Description] | [Detection]

THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.

Radar Alert LEVEL 2

NAME:NetSky.B
ALIAS:I-Worm.Moodown.B, W32/Netsky.B@mm, Moodown.B, Worm.Somefool

Summary

Moodown.B (also known as NetSky.B) worm was found on 18th of February 2004. It is a minor variant of NetSky.A worm that appeared 2 days earlier. The worm spreads itself in e-mails inside a ZIP archive or as an executable attachment. It also copies itself to shared folders of all available drives. This allows the worm to spread in P2P (peer-to-peer) and local networks.

Disinfection

F-Secure provides the special disinfection utility to eliminate NetSky.B worm infection. You can download this utility from our ftp site:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.exe ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.zip

Disinfection instructions can be found here:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.europe.f-secure.com/tools/f-netsky.jar ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar

Back to the Top


Detailed Description

Installation to system

When the worm's file is run, it first shows a fake error messagebox:

 Error

 The file could not be opened!

Then the worm copies itself to Windows directory with SERVICES.EXE name and creates a startup key for this file in System Registry:

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "service" = "%windir%\services.exe -serv"

where %windir% represents Windows directory. At the same time the worm also attempts to delete the following key values:

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Taskmon"
 "Explorer"
 "system."
 "KasperskyAv"

 [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Taskmon"
 "Explorer"

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
 "system."

 [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

After that the worm starts looking for e-mail addresses. It scans files with the following extensions on all available drives (c:-z:) except CD-ROM drives:

 .msg
 .oft
 .sht
 .dbx
 .tbb
 .adb
 .doc
 .wab
 .asp
 .uin
 .rtf
 .vbs
 .html
 .htm
 .pl
 .php
 .txt
 .eml

If the worm finds a folder with the 'sharing' or 'share' name, it copies itself to that folder with the following names:

 winxp_crack.exe
 dolly_buster.jpg.pif
 strippoker.exe
 photoshop 9 crack.exe
 matrix.scr
 porno.scr
 angels.pif
 hardcore porn.jpg.exe
 office_crack.exe
 serial.txt.exe
 cool screensaver.scr
 eminem - lick my pussy.mp3.pif
 nero.7.exe
 virii.scr
 e-book.archive.doc.exe
 max payne 2.crack.exe
 how to hack.doc.exe
 programming basics.doc.exe
 e.book.doc.exe
 win longhorn.doc.exe
 dictionary.doc.exe
 rfc compilation.doc.exe
 sex sex sex sex.doc.exe
 doom2.doc.pif

Spreading in e-mails

When Internet connection is available, the worm starts to spread itself. It creates ZIP archives with its file in Windows directory. The names of these ZIP archives are the same as the names of worm's files inside. The worm can use the following names for its attachments:

 document
 msg
 doc
 talk
 message
 creditcard
 details
 attachment
 me
 stuff
 posting
 textfile
 concert
 information
 note
 bill
 swimmingpool
 product
 topseller
 ps
 shower
 aboutyou
 nomoney
 found
 story
 mails
 website
 friend
 jokes
 location
 final
 release
 dinner
 ranking
 object
 mail2
 part2
 disco
 party
 misc

The worm can use one or two extensions for its attachments. For the first extension the worm uses the following:

 .txt
 .rtf
 .doc
 .htm

For the second extension the worm uses the following:

 .exe
 .scr
 .com
 .pif

The worm spreads itself in e-mails as a ZIP attachment or as an attachment with one of the above shown names.

The subject of an infected e-mail can be one of the following:

 hi
 hello
 read it immediately
 something for you
 warning
 information
 stolen
 fake
 unknown

The body text of an infected e-mail can be one of the following:

 anything ok?
 what does it mean?
 ok
 i'm waiting
 read the details.
 here is the document.
 read it immediately!
 my hero
 here
 is that true?
 is that your name?
 is that your account?
 i wait for a reply!
 is that from you?
 you are a bad writer
 I have your password!
 something about you!
 kill the writer of this document!
 i hope it is not true!
 your name is wrong
 i found this document about you
 yes, really?
 that is bad
 here it is
 see you
 greetings
 stuff about you?
 something is going wrong!
 information about you
 about me
 from the chatter
 here, the serials
 here, the introduction
 here, the cheats
 that's funny
 do you?
 reply
 take it easy
 why?
 thats wrong
 misc
 you earn money
 you feel the same
 you try to steal
 you are bad
 something is going wrong
 something is fool

The worm's file is attached to the infected e-mail inside a ZIP archive or as an normal binary file. A recipient has to unpack the worm's attachment from a ZIP archive and to run it or to run an executable attachment to get infected.

Back to the Top


Detection

Detection for Moodown.B worm is available in the following FSAV updates:

[FSAV_Database_Version]

Version=2004-02-18_02

Back to the Top


Technical Details: Alexey Podrezov, February 18th, 2004;

Description Updated: Alexey Podrezov, February 26th, 2004;

F-Secure Corporation