Tools
NetSky.D
| ALIAS: | W32/Netsky.D@mm, Somefool, I-Worm.NetSky.d |
| SIZE: | 17424 |
Summary
Disinfection
Automatic Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Eliminating a Local Network Outbreak
If the infection is in a local network, please follow the instructions on this webpage:
Additional Details
Descriptions of previous NetSky variants can be found here:
The differences between Netsky.D variant and the previous variants of the worm are as follows:
- The worm's file is packed with Petite file compressor and is 17424 bytes long. The unpacked file's size is about 28 kilobytes.
- The worm doesn't show an error messagebox when run for the first time.
- On March 2nd, 2004 the worm constantly beeps with PC speaker
from 6:00 to 8:59. Below is the link to the WAV file with the
sound that the worm makes: http://www.f-secure.com/virus-info/v-pics/netsky_d.wav
Here's a screenshot of the worm's file contents with a message from its creators:
Like the previous variant, the NetSky.D variant installs itself as WINLOGON.EXE file to Windows folder and creates a startup key for this file in the Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ICQ Net" = "%windir%\winlogon.exe -stealth"
where %windir% represents Windows directory.
The NetSky.D variant of the worm deletes the following Registry keys:
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]
[HKLM\System\CurrentControlSet\Services\WksPatch]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] KasperskyAv Explorer Taskmon system. msgsvr32 DELETE ME service Sentry Windows Services Host
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] KasperskyAv Explorer d3dupdate.exe au.exe OLE Windows Services Host
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] system.
The worm has the same list of file extensions that it uses to look for e-mail addresses. Files with these extensions are searched on all drives from C: to Z: except CD-ROM drives. Here's the list of file extensions that the worm uses:
.eml .txt .php .pl .htm .html .vbs .rtf .uin .asp .wab .doc .adb .tbb .dbx .sht .oft .msg .shtm .cgi .dhtm
Like its previous variants, this worm variant avoids sending e-mails to addresses that contain the following strings:
icrosoft antivi ymantec spam avp f-secur itdefender orman cafee aspersky f-pro orton fbi abuse messagelabs skynet
The subjects of infected messages sent by the worm can be one of the following:
Re: Document Re: Re: Document Re: Re: Thanks! Re: Thanks! Re: Your document Re: Here is the document Re: Your picture Re: Re: Message Re: Hi Re: Hello Re: Re: Re: Your document Re: Here Re: Your music Re: Your software Re: Approved Re: Details Re: Excel file Re: Word file Re: My details Re: Your details Re: Your bill Re: Your text Re: Your archive Re: Your letter Re: Your product Re: Your website
The infected message body text can be the following:
Your document is attached. Here is the file. See the attached file for details. Please have a look at the attached file. Please read the attached file. Your file is attached.
The infected attachment names are randomly selected from the following list:
your_document.pif your_document.pif document.pif message_part2.pif your_document.pif document_full.pif your_picture.pif message_details.pif your_file.pif your_picture.pif document_4351.pif yours.pif mp3music.pif application.pif all_document.pif my_details.pif document_excel.pif document_word.pif my_details.pif your_details.pif your_bill.pif your_text.pif your_archive.pif your_letter.pif your_product.pif your_website.pif
The worm doesn't use any exploits to make its file run automatically on recipients' systems. A recipient has to run the executable attachment to get infected.