Worm:W32/NetSky.D

Classification

Category :

Malware

Type :

Email-Worm

Aliases :

NetSky.D, W32/Netsky.D@mm, Somefool, I-Worm.NetSky.d

Summary

A new variant of Netsky worm - Netsky.D was found on March 1st, 2004 and is spreading fast in the wild. This worm variant lacks many text strings that were present in NetSky.C variant and it does not copy itself to shared folders. Netsky.D spreads itself in emails as an executable attachment only.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Descriptions of previous NetSky variants can be found here:

The differences between Netsky.D variant and the previous variants of the worm are as follows:

  • The worm's file is packed with Petite file compressor and is 17424 bytes long. The unpacked file's size is about 28 kilobytes.
  • The worm doesn't show an error messagebox when run for the first time.
  • On March 2nd, 2004 the worm constantly beeps with PC speaker from 6:00 to 8:59. Below is the link to the WAV file with the sound that the worm makes: https://www.f-secure.com/v-pics/netsky_d.wav

Here's a screenshot of the worm's file contents with a message from its creators:

Like the previous variant, the NetSky.D variant installs itself as WINLOGON.EXE file to Windows folder and creates a startup key for this file in the Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICQ Net" = "%windir%\winlogon.exe -stealth"

where %windir% represents Windows directory.

The NetSky.D variant of the worm deletes the following Registry keys:

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32] [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF] [HKLM\System\CurrentControlSet\Services\WksPatch] [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KasperskyAv
Explorer
Taskmon
system.
msgsvr32
DELETE ME
service
Sentry
Windows Services Host [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KasperskyAv
Explorer
d3dupdate.exe
au.exe
OLE
Windows Services Host [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
system.

The worm has the same list of file extensions that it uses to look for email addresses. Files with these extensions are searched on all drives from C: to Z: except CD-ROM drives. Here's the list of file extensions that the worm uses:

.eml
.txt
.php
.pl
.htm
.html
.vbs
.rtf
.uin
.asp
.wab
.doc
.adb
.tbb
.dbx
.sht
.oft
.msg
.shtm
.cgi
.dhtm

Like its previous variants, this worm variant avoids sending emails to addresses that contain the following strings:

icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet

The subjects of infected messages sent by the worm can be one of the following:

Re: Document
Re: Re: Document
Re: Re: Thanks!
Re: Thanks!
Re: Your document
Re: Here is the document
Re: Your picture
Re: Re: Message
Re: Hi
Re: Hello
Re: Re: Re: Your document
Re: Here
Re: Your music
Re: Your software
Re: Approved
Re: Details
Re: Excel file
Re: Word file
Re: My details
Re: Your details
Re: Your bill
Re: Your text
Re: Your archive
Re: Your letter
Re: Your product
Re: Your website

The infected message body text can be the following:

Your document is attached.
Here is the file.
See the attached file for details.
Please have a look at the attached file.
Please read the attached file.
Your file is attached.

The infected attachment names are randomly selected from the following list:

your_document.pif
your_document.pif
document.pif
message_part2.pif
your_document.pif
document_full.pif
your_picture.pif
message_details.pif
your_file.pif
your_picture.pif
document_4351.pif
yours.pif
mp3music.pif
application.pif
all_document.pif
my_details.pif
document_excel.pif
document_word.pif
my_details.pif
your_details.pif
your_bill.pif
your_text.pif
your_archive.pif
your_letter.pif
your_product.pif
your_website.pif

The worm doesn't use any exploits to make its file run automatically on recipients' systems. A recipient has to run the executable attachment to get infected.