Descriptions of previous NetSky variants can be found here:
W32/NetSky.A@mm:
http://www.f-secure.com/v-descs/moodown.shtml
W32/NetSky.B@mm:
http://www.f-secure.com/v-descs/netsky_b.shtml
W32/NetSky.C@mm:
http://www.f-secure.com/v-descs/netsky_c.shtml
W32/NetSky.D@mm:
http://www.f-secure.com/v-descs/netsky_d.shtml
The differences between NetSky.E variant and the .C variant of
the worm are as follows:
1. The worm's file is a PE executable file 24840 bytes long
packed with Petite file compressor. The unpacked file's size is
over 40 kilobytes.
2. On March 2nd, 2004 the worm constantly beeps with PC speaker
from 6:00 to 8:59. Below is the link to the WAV file with the
sound that the worm makes:
http://www.f-secure.com/virus-info/v-pics/netsky_d.wav
3. The NetSky.E worm doesn't copy its files to shared folders.
4. The NetSky.E worm variant uses 2 more extensions (.jpg and
.gif) for the first extension (if double extension file name is
generated) of its attachment:
.txt
.rtf
.doc
.htm
.jpg
.gif
5. The .E worm variant uses 2 more extensions (.bat and .cmd) for
the second extension (if double extension file name is generated)
or for the only extension of its attachment:
.exe
.scr
.com
.pif
.bat
.cmd
6. The .E worm variant has 2 more strings ('messagelabs' and
'skynet') added to the list of strings that it uses to avoid
sending its e-mails to specified e-mail addresses:
icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
7. This variant has a bigger list of subjects:
Delivery Failed
Status
report
question
trust me
hey
Re: excuse me
read it immediatelly
hi
Re: does it?
Yep
important
hello
dear
Re: unknown
fake?
warning
moin
what's up?
info
Re: information
Here is it
stolen
private?
good morning
illegal...
error
take it
re:
Re: Re: Re: Re:
you?
something for you
exception
Re: hey
excuse me
Re: hi
Re: does it?
Re: important
Re: hello
believe me
Question
denied!
notification
Re: <5664ddff?$??§2>
lol
last chance!
I'm back!
its me
notice!
oh
Announcement
Re: Thank you
Re: Details
Thank you
Details
Re: Approved
Approved
hi, it's me
Thank You very very much
You use illegal...
Your IP was logged
Love is
Re: <censored>
registered?
Your request was registered
read now!
Attention
Schedule
You have 1 day left
Re: information
automatic notification
Expired account
automatic responder
Read this message
please read
please reply
Registration confirm
Confirmation
Confirmation Required
Returned Mail
The .E worm variant just like the .C variant spreads itself in
e-mails as a ZIP attachment or as an executable attachment with
one of the hardcoded names and single or double extension. A
recipient has to unpack the worm's attachment from a ZIP archive
and to run it or to run an executable attachment to get infected.
Like the .C variant, NetSky.E worm variant installs itself as
WINLOGON.EXE file to Windows folder and creates a startup key for
this file in the Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICQ Net" = "%windir%\winlogon.exe -stealth"
where %windir% represents Windows directory.
For more details, please see the description of NetSky.C worm
variant.
Detection for NetSky.E (Moodown.E) worm is available in the
following FSAV updates:
[FSAV_Database_Version]
Version=2004-03-01_05
Technical Details:
Alexey Podrezov, March 1st, 2004;
Description Updated:
Alexey Podrezov, March 18th, 2004;
F-Secure Corporation
