NetSky.U worm was discovered on April 8th, 2004.This variant is extremely close to the latest NetSky variants. For example, sharing up to approximately 94% of the code and features in common with NetSky.S.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The worm's file is a PE executable 18432 bytes long packed with PE-Patch and UPX file compressors.
Some of the worm's text strings are scrambled.
Upon execution NetSky.U copies itself as SymAV.exe file to Windows folder and adds a startup key for this file into System Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SymAV" = "%WinDir%\SymAV.exe"
where %WinDir% represents Windows folder name.
Before spreading in email the worm collects email addresses. It scans all files on all drives from C: to Z: except CD-ROM drives. If any file with the following extensions is found, the worm opens it and searches for email addresses there:
.eml .txt .php .cfg .mbx .mdx .asp .wab .doc .vbs .rtf .uin .shtm .cgi .dhtm .adb .tbb .dbx .pl .htm .html .sht .oft .msg .ods .stm .xls .jsp .wsh .xml .mht .mmf .nch .ppt
The worm composes two different types of messages. All of them have the following subjects in common:
Re: Hi Re: Hello Hi Hello Hey It's me Again Reply
The first type of messages is composed from bodies and attchment names from the following lists:
Bodies:
Abou you? Sexy pic abou you? Do you have a digicam to make your private photos? More naked...your body is sexy! Naked, you? Are you naked? More private photos of you? no! Private photos...mmmhh. I like it. Post me more please! Hey, naked one! Hey, have you ever seen your photo? Eat my shit! Your photo is bad. Do not distribute your naked photos! Uhaaa! naked... are you cranky? Your are naked? Tell me more...please! Hey, private or private..naked? Pah!...take your private photo, naked and so, and go away.' I have sent your private photo to the police. What is when I show your private illegal photo the police?' You? Very funny! More available? I don't want to see your photo! Shit... your photo! naked?
Attachments:
photo03.pif your_photo.pif private_pic.pif private_photo.pif about_you.pif your_bad_photo.pif xxx_yours_naked.pif your_private_document.pif private.pif yourpic.pif yournakedpic.pif pic04.pif yours.pif yourimage.pif yourphoto.pif yoursnaked.pif yours_naked.pif img05.pif not_permitted.pif yours_naked_img.pif yours_funny.pif
The second type of messages has the following bodies and attachment names:
Bodies:
Not with me! Here is a sample of your private documents I have stolen! Your privacy! lol, youre not protected! Needed? No, here I give it back! I believe from the document you are a child! Check your document, errors are there! Please, please, Give me another sexy document about you! Short and good, your document! Jooooooooo.... document? Yours????? Wehaaa! I do not accept documents from bad guys! I do not want your document! Go to hell an burn with your bad document! I will send your list to the police!!!! Hello, here. It's the truth, your document not!!! Could I have more texts about you? Thus is enough. Stop sending your shitty documents!!! One, two three, more, I have many questions to you document! Nice, nice, more and more? do you? Should I believe it? No, however, your story is bad. Oh.....puh, your story is very strong! Yours is very nice! Do you have more of that? Hey ya, nice document. Do you have more?
Attachments:
document.pif private.pif yourdoc.pif yourdocument.pif mydocument.pif onedocument.pif your_doc04.pif founddocument.pif document3.pif anotherdocument.pif document_part.pif alldoc.pif details.pif shortdoc.pif doc04.pif illegaldocument.pif abusedocument.pif posteddocument.pif trieddocument.pif yetanotherdocumen.pif doc.pif sexydocument.pif letter.pif story.pif mail.pif abuses.pif morestory.pif doc_ed.pif approvdoc.pif detailed.pif listed.pif
The third type of messages has the following bodies and attachment names:
Bodies:
Oh, I got it! To less characters! Take it easy... I noticed your password for administrative purpuses. Yet another password! Need a better one? Oh... your password! Need a better password? my advice.... Your pwd is critical, too short, to low! Do not use personal information for your password! Your password on a website? Passwordlist? yours? I needed only 2 hours to get your password. Change your password! I have stolen some text, excuse me! Dictionary attacks are good. Your password not! I used the brute-force method to get your password.. Take it easy... Your password is too short. I've got your password! take it easy... Hey, easy passwords! Oh! Excuse me, your password is too easy!!!
Attachments:
correct_pass.pif pass01.pif pwds04.pif password02.pif pwd.pif yourspwd.pif your_pwd.pif your_password.pif pwd_list.pif passwords.pif password.pif yourpassword.pif easypassword.pif cracked_password.pif morepasswords.pif
The worm does not spread itself from 13th to 17th of April 2004.
The worm has a backdoor that listens on TCP port 6789. It allows to download and execute files on an infected computer.
Netsky.U has a payload. It performs a DoS (Denial of Service) attack on the following websites from 14th to 23rd of April 2004:
www.cracks.am www.emule.de www.kazaa.com www.freemule.net www.keygen.us