F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : NetSky.D

[Summary] | [Disinfection] | [Detailed Description] | [Detection]

THIS VIRUS IS RANKED AS LEVEL 1 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 1

NAME:NetSky.D
ALIAS:W32/Netsky.D@mm, Somefool, I-Worm.NetSky.d
SIZE:17424

Summary

A new variant of Netsky worm - Netsky.D was found on March 1st, 2004 and is spreading fast in the wild. This worm variant lacks many text strings that were present in NetSky.C variant and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.

Disinfection

F-Secure provides the special disinfection utility to eliminate Netsky.D worm infection. You can download this utility from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.europe.f-secure.com/tools/f-netsky.jar ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar

Back to the Top


Detailed Description

Descriptions of previous NetSky variants can be found here:

W32/NetSky.A@mm: http://www.f-secure.com/v-descs/moodown.shtml

W32/NetSky.B@mm: http://www.f-secure.com/v-descs/netsky_b.shtml

W32/NetSky.C@mm: http://www.f-secure.com/v-descs/netsky_c.shtml

The differences between Netsky.D variant and the previous variants of the worm are as follows:

1. The worm's file is packed with Petite file compressor and is 17424 bytes long. The unpacked file's size is about 28 kilobytes.

2. The worm doesn't show an error messagebox when run for the first time.

3. On March 2nd, 2004 the worm constantly beeps with PC speaker from 6:00 to 8:59. Below is the link to the WAV file with the sound that the worm makes:

http://www.f-secure.com/virus-info/v-pics/netsky_d.wav

Here's a screenshot of the worm's file contents with a message from its creators:

Like the previous variant, the NetSky.D variant installs itself as WINLOGON.EXE file to Windows folder and creates a startup key for this file in the Registry: 

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "ICQ Net" = "%windir%\winlogon.exe -stealth"

where %windir% represents Windows directory.

The NetSky.D variant of the worm deletes the following Registry keys: 

 [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]


 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]


 [HKLM\System\CurrentControlSet\Services\WksPatch]


 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 KasperskyAv
 Explorer
 Taskmon
 system.
 msgsvr32
 DELETE ME
 service
 Sentry
 Windows Services Host


 [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 KasperskyAv
 Explorer
 d3dupdate.exe
 au.exe
 OLE
 Windows Services Host


 [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
 system.

The worm has the same list of file extensions that it uses to look for e-mail addresses. Files with these extensions are searched on all drives from C: to Z: except CD-ROM drives. Here's the list of file extensions that the worm uses: 

 .eml
 .txt
 .php
 .pl
 .htm
 .html
 .vbs
 .rtf
 .uin
 .asp
 .wab
 .doc
 .adb
 .tbb
 .dbx
 .sht
 .oft
 .msg
 .shtm
 .cgi
 .dhtm

Like its previous variants, this worm variant avoids sending e-mails to addresses that contain the following strings: 

 icrosoft
 antivi
 ymantec
 spam
 avp
 f-secur
 itdefender
 orman
 cafee
 aspersky
 f-pro
 orton
 fbi
 abuse
 messagelabs
 skynet

The subjects of infected messages sent by the worm can be one of the following: 

 Re: Document
 Re: Re: Document
 Re: Re: Thanks!
 Re: Thanks!
 Re: Your document
 Re: Here is the document
 Re: Your picture
 Re: Re: Message
 Re: Hi
 Re: Hello
 Re: Re: Re: Your document
 Re: Here
 Re: Your music
 Re: Your software
 Re: Approved
 Re: Details
 Re: Excel file
 Re: Word file
 Re: My details
 Re: Your details
 Re: Your bill
 Re: Your text
 Re: Your archive
 Re: Your letter
 Re: Your product
 Re: Your website

The infected message body text can be the following: 

 Your document is attached.
 Here is the file.
 See the attached file for details.
 Please have a look at the attached file.
 Please read the attached file.
 Your file is attached.

The infected attachment names are randomly selected from the following list: 

 your_document.pif
 your_document.pif
 document.pif
 message_part2.pif
 your_document.pif
 document_full.pif
 your_picture.pif
 message_details.pif
 your_file.pif
 your_picture.pif
 document_4351.pif
 yours.pif
 mp3music.pif
 application.pif
 all_document.pif
 my_details.pif
 document_excel.pif
 document_word.pif
 my_details.pif
 your_details.pif
 your_bill.pif
 your_text.pif
 your_archive.pif
 your_letter.pif
 your_product.pif
 your_website.pif

The worm doesn't use any exploits to make its file run automatically on recipients' systems. A recipient has to run the executable attachment to get infected.

Back to the Top


Detection

Detection for Netsky.D (Moodown.D) worm is available in the following FSAV updates:

[FSAV_Database_Version]

Version=2004-03-01_03

Back to the Top


Technical Details: Alexey Podrezov and Katrin Tocheva, March 1st, 2004;

F-Secure Corporation