Threat Description

NetSky.D

Details

Aliases: NetSky.D, W32/Netsky.D@mm, Somefool, I-Worm.NetSky.d
Category: Malware
Type: Email-Worm
Platform: W32

Summary



A new variant of Netsky worm - Netsky.D was found on March 1st, 2004 and is spreading fast in the wild. This worm variant lacks many text strings that were present in NetSky.C variant and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



Descriptions of previous NetSky variants can be found here:

The differences between Netsky.D variant and the previous variants of the worm are as follows:

  • The worm's file is packed with Petite file compressor and is 17424 bytes long. The unpacked file's size is about 28 kilobytes.
  • The worm doesn't show an error messagebox when run for the first time.
  • On March 2nd, 2004 the worm constantly beeps with PC speaker from 6:00 to 8:59. Below is the link to the WAV file with the sound that the worm makes: http://www.f-secure.com/virus-info/v-pics/netsky_d.wav

Here's a screenshot of the worm's file contents with a message from its creators:

Like the previous variant, the NetSky.D variant installs itself as WINLOGON.EXE file to Windows folder and creates a startup key for this file in the Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "ICQ Net" = "%windir%\winlogon.exe -stealth"

where %windir% represents Windows directory.

The NetSky.D variant of the worm deletes the following Registry keys:

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]
[HKLM\System\CurrentControlSet\Services\WksPatch]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 KasperskyAv
 Explorer
 Taskmon
 system.
 msgsvr32
 DELETE ME
 service
 Sentry
 Windows Services Host
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 KasperskyAv
 Explorer
 d3dupdate.exe
 au.exe
 OLE
 Windows Services Host
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
 system.

The worm has the same list of file extensions that it uses to look for e-mail addresses. Files with these extensions are searched on all drives from C: to Z: except CD-ROM drives. Here's the list of file extensions that the worm uses:

.eml
 .txt
 .php
 .pl
 .htm
 .html
 .vbs
 .rtf
 .uin
 .asp
 .wab
 .doc
 .adb
 .tbb
 .dbx
 .sht
 .oft
 .msg
 .shtm
 .cgi
 .dhtm

Like its previous variants, this worm variant avoids sending e-mails to addresses that contain the following strings:

icrosoft
 antivi
 ymantec
 spam
 avp
 f-secur
 itdefender
 orman
 cafee
 aspersky
 f-pro
 orton
 fbi
 abuse
 messagelabs
 skynet

The subjects of infected messages sent by the worm can be one of the following:

Re: Document
 Re: Re: Document
 Re: Re: Thanks!
 Re: Thanks!
 Re: Your document
 Re: Here is the document
 Re: Your picture
 Re: Re: Message
 Re: Hi
 Re: Hello
 Re: Re: Re: Your document
 Re: Here
 Re: Your music
 Re: Your software
 Re: Approved
 Re: Details
 Re: Excel file
 Re: Word file
 Re: My details
 Re: Your details
 Re: Your bill
 Re: Your text
 Re: Your archive
 Re: Your letter
 Re: Your product
 Re: Your website

The infected message body text can be the following:

Your document is attached.
 Here is the file.
 See the attached file for details.
 Please have a look at the attached file.
 Please read the attached file.
 Your file is attached.

The infected attachment names are randomly selected from the following list:

your_document.pif
 your_document.pif
 document.pif
 message_part2.pif
 your_document.pif
 document_full.pif
 your_picture.pif
 message_details.pif
 your_file.pif
 your_picture.pif
 document_4351.pif
 yours.pif
 mp3music.pif
 application.pif
 all_document.pif
 my_details.pif
 document_excel.pif
 document_word.pif
 my_details.pif
 your_details.pif
 your_bill.pif
 your_text.pif
 your_archive.pif
 your_letter.pif
 your_product.pif
 your_website.pif

The worm doesn't use any exploits to make its file run automatically on recipients' systems. A recipient has to run the executable attachment to get infected.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More