Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


NetSky.C


Aliases:


NetSky.C
I-Worm.Moodown.C, W32/Netsky.C@mm, Moodown.C, Worm.Somefool, I-Worm.NetSky.c

Malware
Email-Worm
W32

Summary

Netsky.C (also known as Moodown.C) worm was found on 25th of February 2004. This variant has been improved comparing to previous variants of the worm. Netsky.C spreads itself in e-mails inside a ZIP archive or as an executable attachment. It also copies itself to shared folders of all available drives. This allows the worm to spread in P2P (peer-to-peer) and local networks.



Disinfection & Removal


Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.


Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details

Descriptions of previous NetSky variants can be found here:

The differences between Netsky.C variant and the previous variants of the worm are as follows:

  • We received several differently packed variants of Moodown.C worm. First two variants are packed with Petite file compressor and one of those is 1 byte longer that another. The third variant is packed with ASPack file compressor while the forth variant is packed with UPX file compressor.
  • The worm doesn't show an error messagebox when run for the first time.
  • On February 26th, 2004 the worm constantly beeps with PC speaker from 6:00 to 8:59. Below is the link to the WAV file with the sound that the worm makes: http://www.f-secure.com/virus-info/v-pics/netsky_d.wav
  • The worm installs itself as WINLOGON.EXE file to Windows folder and creates a startup key for this file in the Registry:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
     "ICQ Net" = "%windir%\winlogon.exe -stealth"
    
    
    where %windir% represents Windows directory.
  • In addition to deleting MyDoom startup keys in the Registry, the worm deletes the following keys:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
     msgsvr32
     DELETE ME
     service
     Sentry
     Windows Services Host
    [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
     d3dupdate.exe
     au.exe
     OLE
     Windows Services Host
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]
    [HKLM\System\CurrentControlSet\Services\WksPatch]
    
    
  • The worm has a longer list of file extensions that it uses to look for e-mail addresses:
    .eml
     .txt
     .php
     .pl
     .htm
     .html
     .vbs
     .rtf
     .uin
     .asp
     .wab
     .doc
     .adb
     .tbb
     .dbx
     .sht
     .oft
     .msg
     .shtm
     .cgi
     .dhtm
    
    
  • The worm avoids sending e-mails to addresses that contain the following strings:
    icrosoft
     antivi
     ymantec
     spam
     avp
     f-secur
     itdefender
     orman
     cafee
     aspersky
     f-pro
     orton
     fbi
     abuse
    
    
  • If the worm finds a folder that has the 'shar' substring in its name on any of drives from C: to Z: (except CD-ROM drives), it copies itself to that folder with one of the following names:
    Microsoft WinXP Crack.exe
     Teen Porn 16.jpg.pif
     Adobe Premiere 9.exe
     Adobe Photoshop 9 full.exe
     Best Matrix Screensaver.scr
     Porno Screensaver.scr
     Dark Angels.pif
     XXX hardcore pic.jpg.exe
     Microsoft Office 2003 Crack.exe
     Serials.txt.exe
     Screensaver.scr
     Full album.mp3.pif
     Ahead Nero 7.exe
     Virii Sourcecode.scr
     E-Book Archive.rtf.exe
     Doom 3 Beta.exe
     How to hack.doc.exe
     Learn Programming.doc.exe
     WinXP eBook.doc.exe
     Win Longhorn Beta.exe
     Dictionary English - France.doc.exe
     RFC Basics Full Edition.doc.exe
     1000 Sex and more.rtf.exe
     3D Studio Max 3dsmax.exe
     Keygen 4 all appz.exe
     Windows Sourcecode.doc.exe
     Norton Antivirus 2004.exe
     Gimp 1.5 Full with Key.exe
     Partitionsmagic 9.0.exe
     Star Office 8.exe
     Magix Video Deluxe 4.exe
     Clone DVD 5.exe
     MS Service Pack 5.exe
     ACDSee 9.exe
     Visual Studio Net Crack.exe
     Cracks & Warez Archive.exe
     WinAmp 12 full.exe
     DivX 7.0 final.exe
     Opera.exe
     IE58.1 full setup.exe
     Smashing the stack.rtf.exe
     Ulead Keygen.exe
     Lightwave SE Update.exe
     The Sims 3 crack.exe
    
    
  • The subjects of infected messages sent by the worm can be:
    Delivery Failed
     Status
     report
     question
     trust me
     hey
     Re: excuse me
     read it immediatelly
     hi
     Re: does it?
     Yep
     important
     hello
     ear
     Re: unknown
     fake?
     warning
     moin
     what's up?
     info
     Re: information
     Here is it
     stolen
     private?
     good morning
     illegal...
     error
     take it
     re:
     Re: Re: Re: Re:
     you?
     something for you
     exception
     Re: hey
     excuse me
     Re: hi
     Re: does it?
     Re: important
     Re: hello
     believe me
     Question
     denied!
     notification
     Re: <5664ddff?$??ยง2>
     lol
     last chance!
     I'm back!
     its me
     notice!
     oh
    
    
  • The infected message body text can be the following:
    <Deliver Error>
     <Message Error>
     <Server Error>
     what means that?
     help attached
     <...>
     ok...
     <Attachment from Poland>
     that is interesting...
     i wait for your comment about it.
     such as yours?
     read the details.
     gonna?
     here is the document.
     *lol*
     read it immediately!
     i found that about you!
     your hero in the picture?
     yours?
     here is it.
     illegal st. of you?
     is that true?
     account?
     is that your name?
     picture?
     message?
     is that your account?
     pwd?
     I wait for an answer!
     abuse?
     is that yours?
     you are a bad writer
     I don't know your document!
     <Mail failed>
     I have your password!
     you won the rk!
     something about you!
     classroom test of you?
     kill the writer of this document!
     old photos about you?
     i hope thats not true!
     your name is wrong!
     does it match?
     i found this document about you.
     time to fear?
     really?
     do you know this????
     i know your document!
     did you sent it to me?
     this file is bad!
     why should I?
     pages?
     her.
     another pic, have fun! ... :->
     test it
     child porn?
     greetings
     xxx ?
     stuff about you?
     your document is not good
     something is going wrong!
     your photo is poor
     information about you?
     the information is wrong!
     doc about me?
     kill him on the picture!
     from the chatter (my photo!)
     from your lover ;-)
     love letter?
     here, the serials
     are you a teacherin the picture?
     here, the introduction
     is that criminal?
     here, the cheats
     i like your doc!
     what do you think about it?
     that's a funny text.
     that's not the truth?
     do you have?
     instruct me about this!
     i lost that
     i am speachless about your document!
     is that the reality?
     reply
     msg
     your design is not good!
     important?
     your TAN number?
     take it easy!
     why?
     you are naked in this document!
     thats wrong!
     your icq number?
     i am desperate
     modifications?
     your personal record?
     yes.
     misc. and so on. see you!
     your attachment? verify it.
     you earn money, see the attachment!
     is that your attachment?
     is that your website?
     you feel the same.
     meaning of that?
     possible?
     you have tried to steal!
     did you ask me for that?
     you are bad
     your job? (I found that!)
     is that possible?
     something is going ...
     something is not ok
     did you know from this document?
     wrong calculation! (see the attachment!)
     never!
     poor quality!
     good work!
     excellent!
     great!
     i don't think so.
     pretty pic about you?
     docs?
     schoolfriend?
     <Warning from the Government>
     <09580985869gj>
     <?}
     i want more...
     here is the next one!
     attachi#
     did you see her already?
     is that your wife?
     is that your creditcard?
     is that your photo?
     do you think so?
     do you have the bug also?
     already?
     forgotten?
     drugs? ...
     does it matter?
     i have received this.
     best?
     the truth?
     your body?
     your eyes?
     your face?
     File is self-decryting.
     File is damaged.
     File is bad.
     i saw you last week!
     xxx service
     your account is expired!
     you cannot hide yourself! (see photo)
     copyright?
     what still?
     who?
     how?
     <bad gateway>
     only encrypted!
     personal message!
     my advice....
     i've found it about you
     <<<Failure>>>
     <Attached Msg>
     <scanned by norton antivirus>
     great xxx!
     man or women?
     child or adult?
     here is yours!
     a crazy doc about you
     xxx about you?
     i don't want your xxx pics!
     <Failed message available>
     <Automailer>
     doc?
     trial?
     what?
     ;-)
     i need you!
     correct it!
     see this!
     it's a secret!
     this is nothing for kids!
     it's so similar as yours!
     is that your car?
     do not give up!
     great job!
     here is the $%%454$
     you are sexy in this doc!
     incest?
     let it!
     you look like an ape!
     you look like an rat?
     be mad?
     are you cranky?
     bob the builder
     did you know that?
     money?
     is that your car?
     is this information about you?
     is that your privacy?
     is that your TAN?
     is that your message?
     is that your cd?
     is that your finger?
     your are naked?
     is that your porn pic?
     is that your work?
     is that your family?
     is that your beast?
     is that your account?
     is that your slip?
     is that your domain?
     are you the naked one?
     are you the naked person!
     are you the one?
     does it belong to you?
     do you have sex in the picture?
     you have a sexy body in the pic!
     your lie is going around the world!
     <Transfer complete>
     <Antispam complete>
     lets talk about it!
     do you know the thief?
     are you a photographer?
     you have done a mistake in the document!
     its private from me
     do not show this anyone!
     new patch is available!
     this is an attachment message!
     in your mind?
     Microsoft
     fast food...
     Your bill.
     try this patch!
     do you have an orgasm in the picture?
     <Click the attachment to decrypt>
     <Attachment Signature 34933920>
     Transaction failed. Show the doc!
     I 've found your bill!
     see your name!
     You are infected. Read the details!
     here is my advice.
     here is my photo!
     here is the <censored>
     feel free to use it.
     does it belong to you?
     Login required! Read the attachment!
     your document is silly!
     is the pic a fake?
     Antispam is turned off. See file!
     Authentification required. Read the attachment
     solve the problem!
     <null>
     do not use my document!
     do not open the attachment!
     do not visit the pages on the list I sent!
     explain!
     tell me more about your document!
     Your provider will be disabled!
     Instant patches.
    
    
  • The infected attachment names are randomly selected from the following list:
    document
     associal
     msg
     yours
     doc
     wife
     talk
     message
     response
     creditcard
     description
     details
     attachment
     pic
     me
     trash
     card
     stuff
     poster
     posting
     portmoney
     textfile
     moonlight
     concert
     sexy
     information
     news
     note
     number_phone
     bill
     mydate
     swimmingpool
     class_photos
     product
     old_photos
     topseller
     ps
     important
     shower
     myaunt
     aboutyou
     yours
     nomoney
     birth
     found
     death
     story
     worker
     mails
     letter
     more
     website
     regards
     regid
     friend
     unfolds
     jokes
     doc_ang
     your_stuff
     location
     454543403
     final
     schock
     release
     webcam
     dinner
     intimate stuff
     sexual
     ranking
     object
     secrets
     mail2
     attach2
     part2
     msg2
     disco
     freaky
     visa
     party
     material
     misc
     nothing
     transfer
     auction
     warez
     undefinied
     violence
     update
     masturbation
     injection
     naked1
     naked2
     tear
     music
     paypal
     id
     privacy
     word_doc
     image
     incest
    
    

The worm can compose the attachment name from several parts listed above.

Like in the previous variants, the worm can use one or two extensions for its attachments. For the first extension the worm uses the following:

.txt
 .rtf
 .doc
 .htm

For the second extension the worm uses the following:

.exe
 .scr
 .com
 .pif

The worm spreads itself in e-mails as a ZIP attachment or as an attachment with one of the above shown names.

The worm's file is attached to the infected e-mail inside a ZIP archive or as an normal binary file. A recipient has to unpack the worm's attachment from a ZIP archive and to run it or to run an executable attachment to get infected.







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.