1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. NetSky.C

NetSky.C

ALIAS:I-Worm.Moodown.C, W32/Netsky.C@mm, Moodown.C, Worm.Somefool, I-Worm.NetSky.c

Summary

Netsky.C (also known as Moodown.C) worm was found on 25th of February 2004. This variant has been improved comparing to previous variants of the worm. Netsky.C spreads itself in e-mails inside a ZIP archive or as an executable attachment. It also copies itself to shared folders of all available drives. This allows the worm to spread in P2P (peer-to-peer) and local networks.

Disinfection

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.


Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Additional Details

Descriptions of previous NetSky variants can be found here:

The differences between Netsky.C variant and the previous variants of the worm are as follows:

  • We received several differently packed variants of Moodown.C worm. First two variants are packed with Petite file compressor and one of those is 1 byte longer that another. The third variant is packed with ASPack file compressor while the forth variant is packed with UPX file compressor.
  • The worm doesn't show an error messagebox when run for the first time.
  • On February 26th, 2004 the worm constantly beeps with PC speaker from 6:00 to 8:59. Below is the link to the WAV file with the sound that the worm makes: http://www.f-secure.com/virus-info/v-pics/netsky_d.wav
  • The worm installs itself as WINLOGON.EXE file to Windows folder and creates a startup key for this file in the Registry:


    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "ICQ Net" = "%windir%\winlogon.exe -stealth"

    where %windir% represents Windows directory.
  • In addition to deleting MyDoom startup keys in the Registry, the worm deletes the following keys:


    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
 msgsvr32
 DELETE ME
 service
 Sentry
 Windows Services Host


    [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
 d3dupdate.exe
 au.exe
 OLE
 Windows Services Host


    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]


    [HKLM\System\CurrentControlSet\Services\WksPatch]

  • The worm has a longer list of file extensions that it uses to look for e-mail addresses:

     .eml
 .txt
 .php
 .pl
 .htm
 .html
 .vbs
 .rtf
 .uin
 .asp
 .wab
 .doc
 .adb
 .tbb
 .dbx
 .sht
 .oft
 .msg
 .shtm
 .cgi
 .dhtm

  • The worm avoids sending e-mails to addresses that contain the following strings:

     icrosoft
 antivi
 ymantec
 spam
 avp
 f-secur
 itdefender
 orman
 cafee
 aspersky
 f-pro
 orton
 fbi
 abuse

  • If the worm finds a folder that has the 'shar' substring in its name on any of drives from C: to Z: (except CD-ROM drives), it copies itself to that folder with one of the following names:


     Microsoft WinXP Crack.exe
 Teen Porn 16.jpg.pif
 Adobe Premiere 9.exe
 Adobe Photoshop 9 full.exe
 Best Matrix Screensaver.scr
 Porno Screensaver.scr
 Dark Angels.pif
 XXX hardcore pic.jpg.exe
 Microsoft Office 2003 Crack.exe
 Serials.txt.exe
 Screensaver.scr
 Full album.mp3.pif
 Ahead Nero 7.exe
 Virii Sourcecode.scr
 E-Book Archive.rtf.exe
 Doom 3 Beta.exe
 How to hack.doc.exe
 Learn Programming.doc.exe
 WinXP eBook.doc.exe
 Win Longhorn Beta.exe
 Dictionary English - France.doc.exe
 RFC Basics Full Edition.doc.exe
 1000 Sex and more.rtf.exe
 3D Studio Max 3dsmax.exe
 Keygen 4 all appz.exe
 Windows Sourcecode.doc.exe
 Norton Antivirus 2004.exe
 Gimp 1.5 Full with Key.exe
 Partitionsmagic 9.0.exe
 Star Office 8.exe
 Magix Video Deluxe 4.exe
 Clone DVD 5.exe
 MS Service Pack 5.exe
 ACDSee 9.exe
 Visual Studio Net Crack.exe
 Cracks & Warez Archive.exe
 WinAmp 12 full.exe
 DivX 7.0 final.exe
 Opera.exe
 IE58.1 full setup.exe
 Smashing the stack.rtf.exe
 Ulead Keygen.exe
 Lightwave SE Update.exe
 The Sims 3 crack.exe

  • The subjects of infected messages sent by the worm can be:


     Delivery Failed
 Status
 report
 question
 trust me
 hey
 Re: excuse me
 read it immediatelly
 hi
 Re: does it?
 Yep
 important
 hello
 ear
 Re: unknown
 fake?
 warning
 moin
 what's up?
 info
 Re: information
 Here is it
 stolen
 private?
 good morning
 illegal...
 error
 take it
 re:
 Re: Re: Re: Re:
 you?
 something for you
 exception
 Re: hey
 excuse me
 Re: hi
 Re: does it?
 Re: important
 Re: hello
 believe me
 Question
 denied!
 notification
 Re: <5664ddff?$??ยง2>
 lol
 last chance!
 I'm back!
 its me
 notice!
 oh

  • The infected message body text can be the following:


     <Deliver Error>
 <Message Error>
 <Server Error>
 what means that?
 help attached
 <...>
 ok...
 <Attachment from Poland>
 that is interesting...
 i wait for your comment about it.
 such as yours?
 read the details.
 gonna?
 here is the document.
 *lol*
 read it immediately!
 i found that about you!
 your hero in the picture?
 yours?
 here is it.
 illegal st. of you?
 is that true?
 account?
 is that your name?
 picture?
 message?
 is that your account?
 pwd?
 I wait for an answer!
 abuse?
 is that yours?
 you are a bad writer
 I don't know your document!
 <Mail failed>
 I have your password!
 you won the rk!
 something about you!
 classroom test of you?
 kill the writer of this document!
 old photos about you?
 i hope thats not true!
 your name is wrong!
 does it match?
 i found this document about you.
 time to fear?
 really?
 do you know this????
 i know your document!
 did you sent it to me?
 this file is bad!
 why should I?
 pages?
 her.
 another pic, have fun! ... :->
 test it
 child porn?
 greetings
 xxx ?
 stuff about you?
 your document is not good
 something is going wrong!
 your photo is poor
 information about you?
 the information is wrong!
 doc about me?
 kill him on the picture!
 from the chatter (my photo!)
 from your lover ;-)
 love letter?
 here, the serials
 are you a teacherin the picture?
 here, the introduction
 is that criminal?
 here, the cheats
 i like your doc!
 what do you think about it?
 that's a funny text.
 that's not the truth?
 do you have?
 instruct me about this!
 i lost that
 i am speachless about your document!
 is that the reality?
 reply
 msg
 your design is not good!
 important?
 your TAN number?
 take it easy!
 why?
 you are naked in this document!
 thats wrong!
 your icq number?
 i am desperate
 modifications?
 your personal record?
 yes.
 misc. and so on. see you!
 your attachment? verify it.
 you earn money, see the attachment!
 is that your attachment?
 is that your website?
 you feel the same.
 meaning of that?
 possible?
 you have tried to steal!
 did you ask me for that?
 you are bad
 your job? (I found that!)
 is that possible?
 something is going ...
 something is not ok
 did you know from this document?
 wrong calculation! (see the attachment!)
 never!
 poor quality!
 good work!
 excellent!
 great!
 i don't think so.
 pretty pic about you?
 docs?
 schoolfriend?
 <Warning from the Government>
 <09580985869gj>
 <?}
 i want more...
 here is the next one!
 attachi#
 did you see her already?
 is that your wife?
 is that your creditcard?
 is that your photo?
 do you think so?
 do you have the bug also?
 already?
 forgotten?
 drugs? ...
 does it matter?
 i have received this.
 best?
 the truth?
 your body?
 your eyes?
 your face?
 File is self-decryting.
 File is damaged.
 File is bad.
 i saw you last week!
 xxx service
 your account is expired!
 you cannot hide yourself! (see photo)
 copyright?
 what still?
 who?
 how?
 <bad gateway>
 only encrypted!
 personal message!
 my advice....
 i've found it about you
 <<<Failure>>>
 <Attached Msg>
 <scanned by norton antivirus>
 great xxx!
 man or women?
 child or adult?
 here is yours!
 a crazy doc about you
 xxx about you?
 i don't want your xxx pics!
 <Failed message available>
 <Automailer>
 doc?
 trial?
 what?
 ;-)
 i need you!
 correct it!
 see this!
 it's a secret!
 this is nothing for kids!
 it's so similar as yours!
 is that your car?
 do not give up!
 great job!
 here is the $%%454$
 you are sexy in this doc!
 incest?
 let it!
 you look like an ape!
 you look like an rat?
 be mad?
 are you cranky?
 bob the builder
 did you know that?
 money?
 is that your car?
 is this information about you?
 is that your privacy?
 is that your TAN?
 is that your message?
 is that your cd?
 is that your finger?
 your are naked?
 is that your porn pic?
 is that your work?
 is that your family?
 is that your beast?
 is that your account?
 is that your slip?
 is that your domain?
 are you the naked one?
 are you the naked person!
 are you the one?
 does it belong to you?
 do you have sex in the picture?
 you have a sexy body in the pic!
 your lie is going around the world!
 <Transfer complete>
 <Antispam complete>
 lets talk about it!
 do you know the thief?
 are you a photographer?
 you have done a mistake in the document!
 its private from me
 do not show this anyone!
 new patch is available!
 this is an attachment message!
 in your mind?
 Microsoft
 fast food...
 Your bill.
 try this patch!
 do you have an orgasm in the picture?
 <Click the attachment to decrypt>
 <Attachment Signature 34933920>
 Transaction failed. Show the doc!
 I 've found your bill!
 see your name!
 You are infected. Read the details!
 here is my advice.
 here is my photo!
 here is the <censored>
 feel free to use it.
 does it belong to you?
 Login required! Read the attachment!
 your document is silly!
 is the pic a fake?
 Antispam is turned off. See file!
 Authentification required. Read the attachment
 solve the problem!
 <null>
 do not use my document!
 do not open the attachment!
 do not visit the pages on the list I sent!
 explain!
 tell me more about your document!
 Your provider will be disabled!
 Instant patches.

  • The infected attachment names are randomly selected from the following list:


     document
 associal
 msg
 yours
 doc
 wife
 talk
 message
 response
 creditcard
 description
 details
 attachment
 pic
 me
 trash
 card
 stuff
 poster
 posting
 portmoney
 textfile
 moonlight
 concert
 sexy
 information
 news
 note
 number_phone
 bill
 mydate
 swimmingpool
 class_photos
 product
 old_photos
 topseller
 ps
 important
 shower
 myaunt
 aboutyou
 yours
 nomoney
 birth
 found
 death
 story
 worker
 mails
 letter
 more
 website
 regards
 regid
 friend
 unfolds
 jokes
 doc_ang
 your_stuff
 location
 454543403
 final
 schock
 release
 webcam
 dinner
 intimate stuff
 sexual
 ranking
 object
 secrets
 mail2
 attach2
 part2
 msg2
 disco
 freaky
 visa
 party
 material
 misc
 nothing
 transfer
 auction
 warez
 undefinied
 violence
 update
 masturbation
 injection
 naked1
 naked2
 tear
 music
 paypal
 id
 privacy
 word_doc
 image
 incest

The worm can compose the attachment name from several parts listed above.

Like in the previous variants, the worm can use one or two extensions for its attachments. For the first extension the worm uses the following:

 .txt
 .rtf
 .doc
 .htm

For the second extension the worm uses the following:

 .exe
 .scr
 .com
 .pif

The worm spreads itself in e-mails as a ZIP attachment or as an attachment with one of the above shown names.

The worm's file is attached to the infected e-mail inside a ZIP archive or as an normal binary file. A recipient has to unpack the worm's attachment from a ZIP archive and to run it or to run an executable attachment to get infected.