F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : NetSky.H

[Summary] | [Disinfection] | [Detailed Description] | [Detection]



NAME:NetSky.H
ALIAS:W32/NetSky.H@mm, I-Worm.NetSky.h, W32.NetSky.H@mm
SIZE:22528

Summary

Yet another NetSky worm variant - NetSky.H was found on 5th of March 2004. This variant is very close to NetSky.G variant. It spreads itself in e-mails as an executable attachment.

This worm contains another, but this time less insulting message for the authors of Bagle and Mydoom. And like its previous variants NetSky.H tries to uninstall Bagle worm variants from an infected computer.

Disinfection

F-Secure provides the special disinfection utility to eliminate Netsky.H worm infection. You can download this utility from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.europe.f-secure.com/tools/f-netsky.jar

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar

Back to the Top


Detailed Description

Descriptions of all previous NetSky worm variants can be found here:

W32/NetSky.A@mm: http://www.f-secure.com/v-descs/moodown.shtml

W32/NetSky.B@mm: http://www.f-secure.com/v-descs/netsky_b.shtml

W32/NetSky.C@mm: http://www.f-secure.com/v-descs/netsky_c.shtml

W32/NetSky.D@mm: http://www.f-secure.com/v-descs/netsky_d.shtml

W32/NetSky.E@mm: http://www.f-secure.com/v-descs/netsky_e.shtml

W32/NetSky.F@mm: http://www.f-secure.com/v-descs/netsky_f.shtml

W32/NetSky.G@mm: http://www.f-secure.com/v-descs/netsky_g.shtml

The worm's file is a PE executable file 22528 bytes long, packed with PE-Pack file compressor. The unpacked file's size is over 28 kilobytes.

On March 8th, 2004 the worm constantly beeps with PC speaker from 11:00 to 11:59. Below is the link to the WAV file with the sound that the worm makes:

http://www.f-secure.com/virus-info/v-pics/netsky_d.wav

NetSky.H worm doesn't copy its files to shared folders.

Installation to system

When run, the worm installs itself to system. It copies its file to Windows folder as MAJA.EXE and creates a startup key for this file in System Registry: 

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Antivirus" = "%windir%\maja.exe -antivirus service"

where %windir% represents Windows directory.

The worm creates a mutex named "MI[SkyNet.cz]SystemsMutex" to avoid running more than one instance of itself.

Spreading in e-mails

NetSky.H worm has its own SMTP engine that it uses to send emails with infected attachments to all found e-mail addresses. The worm uses different subjects, message body texts and attachment names in its e-mails.

The worm scans all available drives except CD-ROM drives for e-mails. It searches for e-mail addresses in files with the following extensions: 

 .eml
 .txt
 .php
 .pl
 .htm
 .html
 .vbs
 .rtf
 .uin
 .asp
 .wab
 .doc
 .adb
 .tbb
 .dbx
 .sht
 .oft
 .msg
 .shtm
 .cgi
 .dhtm

The subject for infected messages is selected from the following list: 

 Re: Samples
 Re: Document
 Re: Approved
 Re: Here the file
 Re: Yours
 Re: Your file
 Re: Your folder
 Re: Your encrypted file
 Re: Hi
 Re: Hello
 Re: Appending
 Re: Index
 Re: Your data
 Re: Your application
 Re: Part 2
 Re: Part 3
 Re: Secound Part
 Re: Zipped folder
 Re: My details
 Re: Your details
 Re: Your bill
 Re: Your PIN
 Re: Your TAN
 Re: Your loveletter
 Re: Your picture
 Re: Your briefing

The message body text for infected messages is selected from the following list: 

 Your document is attached.
 Here is the file.
 See the attached file for details.
 Please have a look at the attached file...
 Please read the attached file.
 Your file is attached.

The attachment name for infected messages is selected from the following list: 

 your_smaples.scr
 your_document.scr
 document.scr
 message_part2.scr
 your_document.scr
 document_full.scr
 your_picture.pif
 message_details.scr
 your_file.scr
 your_picture.scr
 document_4351.scr
 yours.scr
 mp3music.scr
 application.scr
 all_document.scr
 my_details.scr
 document_excel.scr
 document_word.scr
 my_details.scr
 your_details.scr
 your_bill.scr
 your_pin_88.scr
 your_tan_33.scr
 your_letter.scr
 your_pic.scr
 your_briefing.scr

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings: 

 icrosoft
 antivi
 ymantec
 spam
 avp
 f-secur
 itdefender
 orman
 cafee
 aspersky
 f-pro
 orton
 fbi
 abus
 messagelabs
 skynet
 andasoftwa
 freeav
 sophos
 antivir
 iruslis

Deleting Registry keys and disinfecting Bagle worm

The NetSky.H worm variant of the worm deletes the following Registry keys: 

 [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]


 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]


 [HKLM\System\CurrentControlSet\Services\WksPatch]


 [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
 system.


 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 KasperskyAv
 Explorer
 Taskmon
 system.
 msgsvr32
 DELETE ME
 service
 Sentry
 Windows Services Host


 [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 KasperskyAv
 Explorer
 OLE
 Windows Services Host
 d3dupdate.exe
 au.exe
 sysmon.exe
 rate.exe
 gouday.exe
 sate.exe
 ssate.exe
 srate.exe

NetSky.H worm removes Registry keys of several Bagle worm variants if it finds them on an infected computer. At least the last 8 keys listed above belong to earlier Bagle variants.

Back to the Top


Detection

Detection of NetSky.H worm is available in the following FSAV updates:

[FSAV_Database_Version]

Version=2004-03-05_01

Back to the Top


Technical Details: Alexey Podrezov, March 5th, 2004;

Description Updated: Alexey Podrezov, March 18th, 2004;

F-Secure Corporation