F-Secure provides the special disinfection utility to eliminate
Netsky.U worm infection. You can download this utility from our
ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip
Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt
System administrators who are using F-Secure Policy Manager,
can distribute the tool as a JAR package automatically to all
workstations.
System administrators can download the JAR version from:
http://www.europe.f-secure.com/tools/f-netsky.jar
ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar
The worm's file is a PE executable 18432 bytes long packed with
PE-Patch and UPX file compressors.
Some of the worm's text strings are scrambled.
Installation to system
Upon execution NetSky.U copies itself as SymAV.exe file to
Windows folder and adds a startup key for this file into System
Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SymAV" = "%WinDir%\SymAV.exe"
where %WinDir% represents Windows folder name.
Spreading in e-mail
Before spreading in e-mail the worm collects e-mail addresses. It
scans all files on all drives from C: to Z: except CD-ROM drives.
If any file with the following extensions is found, the worm
opens it and searches for e-mail addresses there:
.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt
The worm composes two different types of messages. All of them have the following
subjects in common:
Re: Hi
Re: Hello
Hi
Hello
Hey
It's me
Again
Reply
The first type of messages is composed from bodies and attchment names from the
following lists:
Bodies:
Abou you?
Sexy pic abou you?
Do you have a digicam to make your private photos?
More naked...your body is sexy!
Naked, you?
Are you naked?
More private photos of you? no!
Private photos...mmmhh. I like it. Post me more please!
Hey, naked one!
Hey, have you ever seen your photo?
Eat my shit! Your photo is bad.
Do not distribute your naked photos!
Uhaaa! naked... are you cranky?
Your are naked? Tell me more...please!
Hey, private or private..naked?
Pah!...take your private photo, naked and so, and go away.'
I have sent your private photo to the police.
What is when I show your private illegal photo the police?'
You? Very funny! More available?
I don't want to see your photo!
Shit... your photo! naked?
Attachments:
photo03.pif
your_photo.pif
private_pic.pif
private_photo.pif
about_you.pif
your_bad_photo.pif
xxx_yours_naked.pif
your_private_document.pif
private.pif
yourpic.pif
yournakedpic.pif
pic04.pif
yours.pif
yourimage.pif
yourphoto.pif
yoursnaked.pif
yours_naked.pif
img05.pif
not_permitted.pif
yours_naked_img.pif
yours_funny.pif
The second type of messages has the following bodies and attachment names:
Bodies:
Not with me!
Here is a sample of your private documents I have stolen!
Your privacy! lol, youre not protected!
Needed? No, here I give it back!
I believe from the document you are a child!
Check your document, errors are there!
Please, please, Give me another sexy document about you!
Short and good, your document!
Jooooooooo.... document? Yours????? Wehaaa!
I do not accept documents from bad guys!
I do not want your document!
Go to hell an burn with your bad document!
I will send your list to the police!!!!
Hello, here.
It's the truth, your document not!!!
Could I have more texts about you?
Thus is enough. Stop sending your shitty documents!!!
One, two three, more, I have many questions to you document!
Nice, nice, more and more? do you?
Should I believe it? No, however, your story is bad.
Oh.....puh, your story is very strong!
Yours is very nice!
Do you have more of that?
Hey ya, nice document. Do you have more?
Attachments:
document.pif
private.pif
yourdoc.pif
yourdocument.pif
mydocument.pif
onedocument.pif
your_doc04.pif
founddocument.pif
document3.pif
anotherdocument.pif
document_part.pif
alldoc.pif
details.pif
shortdoc.pif
doc04.pif
illegaldocument.pif
abusedocument.pif
posteddocument.pif
trieddocument.pif
yetanotherdocumen.pif
doc.pif
sexydocument.pif
letter.pif
story.pif
mail.pif
abuses.pif
morestory.pif
doc_ed.pif
approvdoc.pif
detailed.pif
listed.pif
The third type of messages has the following bodies and attachment names:
Bodies:
Oh, I got it!
To less characters! Take it easy...
I noticed your password for administrative purpuses.
Yet another password! Need a better one?
Oh... your password!
Need a better password? my advice....
Your pwd is critical, too short, to low!
Do not use personal information for your password!
Your password on a website?
Passwordlist? yours?
I needed only 2 hours to get your password.
Change your password! I have stolen some text, excuse me!
Dictionary attacks are good. Your password not!
I used the brute-force method to get your password..
Take it easy... Your password is too short.
I've got your password! take it easy...
Hey, easy passwords!
Oh! Excuse me, your password is too easy!!!
Attachments:
correct_pass.pif
pass01.pif
pwds04.pif
password02.pif
pwd.pif
yourspwd.pif
your_pwd.pif
your_password.pif
pwd_list.pif
passwords.pif
password.pif
yourpassword.pif
easypassword.pif
cracked_password.pif
morepasswords.pif
The worm does not spread itself from 13th to 17th of April 2004.
Backdoor
The worm has a backdoor that listens on TCP port 6789. It allows
to download and execute files on an infected computer.
Payload
Netsky.U has a payload. It performs a DoS (Denial of Service)
attack on the following websites from 14th to 23rd of April 2004:
www.cracks.am
www.emule.de
www.kazaa.com
www.freemule.net
www.keygen.us
Detection of NetSky.U worm was published on April 8th, 2004 in
the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-04-08_01
Technical Details:
Alexey Podrezov & Ero Carrera, April 8th, 2004;
Description Updated:
Alexey Podrezov, April 28th, 2004;
F-Secure Corporation
