Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


NetSky.U


Aliases:


NetSky.U
W32/NetSky.U@mm, I-Worm.Netsky.v

Malware
Email-Worm
W32

Summary

NetSky.U worm was discovered on April 8th, 2004.This variant is extremely close to the latest NetSky variants. For example, sharing up to approximately 94% of the code and features in common with NetSky.S.



Disinfection & Removal


Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.


Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details

The worm's file is a PE executable 18432 bytes long packed with PE-Patch and UPX file compressors.

Some of the worm's text strings are scrambled.


Installation to system

Upon execution NetSky.U copies itself as SymAV.exe file to Windows folder and adds a startup key for this file into System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "SymAV" = "%WinDir%\SymAV.exe"

where %WinDir% represents Windows folder name.


Spreading in e-mail

Before spreading in e-mail the worm collects e-mail addresses. It scans all files on all drives from C: to Z: except CD-ROM drives. If any file with the following extensions is found, the worm opens it and searches for e-mail addresses there:

.eml
 .txt
 .php
 .cfg
 .mbx
 .mdx
 .asp
 .wab
 .doc
 .vbs
 .rtf
 .uin
 .shtm
 .cgi
 .dhtm
 .adb
 .tbb
 .dbx
 .pl
 .htm
 .html
 .sht
 .oft
 .msg
 .ods
 .stm
 .xls
 .jsp
 .wsh
 .xml
 .mht
 .mmf
 .nch
 .ppt

The worm composes two different types of messages. All of them have the following subjects in common:

Re: Hi
 Re: Hello
 Hi
 Hello
 Hey
 It's me
 Again
 Reply

The first type of messages is composed from bodies and attchment names from the following lists:

Bodies:

Abou you?
 Sexy pic abou you?
 Do you have a digicam to make your private photos?
 More naked...your body is sexy!
 Naked, you?
 Are you naked?
 More private photos of you? no!
 Private photos...mmmhh. I like it. Post me more please!
 Hey, naked one!
 Hey, have you ever seen your photo?
 Eat my shit! Your photo is bad.
 Do not distribute your naked photos!
 Uhaaa! naked... are you cranky?
 Your are naked? Tell me more...please!
 Hey, private or private..naked?
 Pah!...take your private photo, naked and so, and go away.'
 I have sent your private photo to the police.
 What is when I show your private illegal photo the police?'
 You? Very funny! More available?
 I don't want to see your photo!
 Shit... your photo! naked?

Attachments:

photo03.pif
 your_photo.pif
 private_pic.pif
 private_photo.pif
 about_you.pif
 your_bad_photo.pif
 xxx_yours_naked.pif
 your_private_document.pif
 private.pif
 yourpic.pif
 yournakedpic.pif
 pic04.pif
 yours.pif
 yourimage.pif
 yourphoto.pif
 yoursnaked.pif
 yours_naked.pif
 img05.pif
 not_permitted.pif
 yours_naked_img.pif
 yours_funny.pif

The second type of messages has the following bodies and attachment names:

Bodies:

Not with me!
 Here is a sample of your private documents I have stolen!
 Your privacy! lol, youre not protected!
 Needed? No, here I give it back!
 I believe from the document you are a child!
 Check your document, errors are there!
 Please, please, Give me another sexy document about you!
 Short and good, your document!
 Jooooooooo.... document? Yours????? Wehaaa!
 I do not accept documents from bad guys!
 I do not want your document!
 Go to hell an burn with your bad document!
 I will send your list to the police!!!!
 Hello, here.
 It's the truth, your document not!!!
 Could I have more texts about you?
 Thus is enough. Stop sending your shitty documents!!!
 One, two three, more, I have many questions to you document!
 Nice, nice, more and more? do you?
 Should I believe it? No, however, your story is bad.
 Oh.....puh, your story is very strong!
 Yours is very nice!
 Do you have more of that?
 Hey ya, nice document. Do you have more?

Attachments:

document.pif
 private.pif
 yourdoc.pif
 yourdocument.pif
 mydocument.pif
 onedocument.pif
 your_doc04.pif
 founddocument.pif
 document3.pif
 anotherdocument.pif
 document_part.pif
 alldoc.pif
 details.pif
 shortdoc.pif
 doc04.pif
 illegaldocument.pif
 abusedocument.pif
 posteddocument.pif
 trieddocument.pif
 yetanotherdocumen.pif
 doc.pif
 sexydocument.pif
 letter.pif
 story.pif
 mail.pif
 abuses.pif
 morestory.pif
 doc_ed.pif
 approvdoc.pif
 detailed.pif
 listed.pif

The third type of messages has the following bodies and attachment names:

Bodies:

Oh, I got it!
 To less characters! Take it easy...
 I noticed your password for administrative purpuses.
 Yet another password! Need a better one?
 Oh... your password!
 Need a better password? my advice....
 Your pwd is critical, too short, to low!
 Do not use personal information for your password!
 Your password on a website?
 Passwordlist? yours?
 I needed only 2 hours to get your password.
 Change your password! I have stolen some text, excuse me!
 Dictionary attacks are good. Your password not!
 I used the brute-force method to get your password..
 Take it easy... Your password is too short.
 I've got your password! take it easy...
 Hey, easy passwords!
 Oh! Excuse me, your password is too easy!!!

Attachments:

correct_pass.pif
 pass01.pif
 pwds04.pif
 password02.pif
 pwd.pif
 yourspwd.pif
 your_pwd.pif
 your_password.pif
 pwd_list.pif
 passwords.pif
 password.pif
 yourpassword.pif
 easypassword.pif
 cracked_password.pif
 morepasswords.pif

The worm does not spread itself from 13th to 17th of April 2004.


Backdoor

The worm has a backdoor that listens on TCP port 6789. It allows to download and execute files on an infected computer.


Payload

Netsky.U has a payload. It performs a DoS (Denial of Service) attack on the following websites from 14th to 23rd of April 2004:

www.cracks.am
 www.emule.de
 www.kazaa.com
 www.freemule.net
 www.keygen.us







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.