F-Secure provides the special disinfection utility to eliminate
Netsky.T worm infection. You can download this utility from our
ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip
Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt
System administrators who are using F-Secure Policy Manager,
can distribute the tool as a JAR package automatically to all
workstations.
System administrators can download the JAR version from:
http://www.europe.f-secure.com/tools/f-netsky.jar
ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar
The worm's file is a PE executable 18432 bytes long packed with
PE-Patch and UPX file compressors. Some of the worm's text
strings are encrypted.
Installation to system
Upon execution NetSky.T copies itself as EastAV.exe file to
Windows folder and adds a startup key for this file into System
Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyAV" = "%WinDir%\EasyAV.exe"
where %WinDir% represents Windows folder name.
Additionally the worm drops the uinmzertinmds.opm file in Windows
folder. This file contains the MIME-encoded copy of the worm's
executable that will be sent in e-mails.
The worm always has 2 of its processes in Windows memory. If one
process gets killed, the remaining one restarts it. The worm also
protects its file and startup key in the Registry from being
deleted. All the above makes manual disinfection a challenging
task.
Spreading in e-mail
Before spreading in e-mail the worm collects e-mail addresses. It
scans all files on all drives from C: to Z: except CD-ROM drives.
If any file with the following extensions is found, the worm
opens it and searches for e-mail addresses there:
.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt
The worm spreads itself in e-mails It sends messages with
different subject lines, body text and attachment names. Here's
the list of subjects that the worm uses:
Hi
Hello
Re: Hi
Re: Hello
Approved
Re: Approved
Thank you!
Re: Thanks you!
Request
Re: Request
Your document
Re: Your document
Your details
Re: Your details
Your information
Re: Your information
My details
Re: My details
Important
Re: Important
The message body is composed from 3 different string arrays:
Array1:
Hi!
Hello!
Hello!
Array2:
Please read the <string>.
Please have a look at the <string>.
Here is the <string>.
The <string> is attached.
Please see the <string>.
I have sent the <string>.
The requested <string> is attached!
Here is the document.
See the document for details.
Please have a look at the attached document.
Please read the attached document.
Your file is attached to this mail.
Please, <string>.
Your <string> is attached.
My <string> is attached.
I have found the <string>.
Approved, here is the document.
For more information see the attached document.
For more details see the attached document.
Please read quickly.
Please notice the attached document.
Please notice the attached <string>.
Your <string>.
I have spent much time for your document.
I have spent much time for the <string>.
The <string>.
My <string>.
Note that I have attached your document.
Array3:
Thanks
Thank you
Yours sincerely
The attachment name is selected and the <string> value for the
message body is selected from the following variants:
approved file
list
corrected document
archive
abuse list
presentation document
instructions
details
improved document
note
message
contact list
number list
file
secound document
improved file
user list
textfile
new document
text
information
info
word document
excel document
powerpoint document
detailed document
homepage
letter
mail
document
old document
approved document
movie document
picture document
summary
description
requested document
notice
bill
answer
release
final version
diggest
important document
order
photo document
personal message
phone number
e-mail
icq number
report
story
concept
developement
sample
postcard
account
The infected attachment has .PIF extension and can also contain
random numbers in its name. The worm does not spread itself from
13th to 17th of April 2004.
Backdoor
The worm has a backdoor that listens on TCP port 6789. It allows
to download and execute files on an infected computer.
Payload
Netsky.T has a payload. It performs a DoS (Denial of Service)
attack on the following websites from 14th to 23rd of April 2004:
www.cracks.am
www.emule.de
www.kazaa.com
www.freemule.net
www.keygen.us
Additional Info
This worm variant also contains a message from the author of the
worm. Bagle is not mentioned there and taking into account that
Netsky doesn't uninstall Bagle any longer, we consider the war to
be over (at least for now).
Detection of NetSky.T worm was published on April 6th, 2004 in
the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-04-06_01
Technical Details:
Alexey Podrezov, April 6th, 2004;
Description Updated:
Alexey Podrezov, April 28th, 2004;
F-Secure Corporation
