F-Secure
Tools
Worm:W32/Netsky
Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Special Removal Tool
F-Secure provides a special disinfection utility to eliminate a Netsky.A worm infection. You can download this utility from:
System administrators using F-Secure Policy Manager can distribute the tool as a JAR package to all workstations automatically. System administrators can download the JAR version from:
For more general information on disinfection, please see Removal Instructions.
Special Removal Tool
F-Secure provides a special disinfection utility to eliminate a Netsky.A worm infection. You can download this utility from:
- ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.exe
- ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.zip
- ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.txt
System administrators using F-Secure Policy Manager can distribute the tool as a JAR package to all workstations automatically. System administrators can download the JAR version from:
- ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar
Additional Details
Worm:W32/Netsky refers to a large family of worms which spread in infectious files attached to fake e-mail messages.
Netsky was originally named Moodoom, or I-Worm.Moodoom.
The details below describe the Netsky.A variant; this variant was first found on 16th of February 2004.
Netsky.A was initially sent out in numerous seed e-mails. The worm spreads itself inside a ZIP archive file attached to e-mail messages or as an executable attachment.
Netsky.A also copies itself to the shared folders of all available drives, allowing it to spread in peer-to-peer (P2P) and local networks.
Installation
When the worm's file is run, it first shows a fake error message box:
Error
The file could not be opened!
Then the worm copies itself to Windows directory with SERVICES.EXE name and creates a startup key for this file in System Registry:
where %windir% represents Windows directory. At the same time the worm also attempts to delete the following key values:
Propagation (Local)
If the worm finds a folder with the 'sharing' or 'share' name, it copies itself to that folder with the following names:
Propagation (E-mail)
When Internet connection is available, the worm starts to spread itself. It creates ZIP archives with its file in Windows directory. The names of these ZIP archives are the same as the names of worm's files inside:
The worm spreads itself in e-mails as a ZIP attachment or as an attachment with one of the above shown names. The infected e-mails sent by the worm look like :
The worm's file is attached to the infected e-mail inside a ZIP archive or as an normal binary file. The following ZIP attachent names are used by the worm:
The worm sends the prepared infectious e-mails to e-mail addresses sourced from the computer. To find these targets, the worm scans files with the following extensions on all available drives (c:-z:) except CD-ROM drives:
A recipient has to unpack the worm's attachment from a ZIP archive and run it to get infected.
Netsky was originally named Moodoom, or I-Worm.Moodoom.
The details below describe the Netsky.A variant; this variant was first found on 16th of February 2004.
Netsky.A was initially sent out in numerous seed e-mails. The worm spreads itself inside a ZIP archive file attached to e-mail messages or as an executable attachment.
Netsky.A also copies itself to the shared folders of all available drives, allowing it to spread in peer-to-peer (P2P) and local networks.
Installation
When the worm's file is run, it first shows a fake error message box:
Error
The file could not be opened!
Then the worm copies itself to Windows directory with SERVICES.EXE name and creates a startup key for this file in System Registry:
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"service" = "%windir%\services.exe -serv"
where %windir% represents Windows directory. At the same time the worm also attempts to delete the following key values:
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskmon"
"Explorer"
"system."
"KasperskyAv" - [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskmon"
"Explorer" - [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"system." - [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
Propagation (Local)
If the worm finds a folder with the 'sharing' or 'share' name, it copies itself to that folder with the following names:
- winxp_crack.exe
- dolly_buster.jpg.pif
- strippoker.exe
- photoshop 9 crack.exe
- matrix.scr
- porno.scr
- angels.pif
- hardcore porn.jpg.exe
- office_crack.exe
- serial.txt.exe
- cool screensaver.scr
- eminem - lick my pussy.mp3.pif
- nero.7.exe
- virii.scr
- e-book.archive.doc.exe
- max payne 2.crack.exe
- how to hack.doc.exe
- programming basics.doc.exe
- e.book.doc.exe
- win longhorn.doc.exe
- dictionary.doc.exe
- rfc compilation.doc.exe
- sex sex sex sex.doc.exe
- doom2.doc.pif
Propagation (E-mail)
When Internet connection is available, the worm starts to spread itself. It creates ZIP archives with its file in Windows directory. The names of these ZIP archives are the same as the names of worm's files inside:
- prod_info_04155.bat
- prod_info_54234.scr
- prod_info_42313.pif
- prod_info_33462.cmd
- prod_info_49541.exe
- prod_info_04650.bat
- prod_info_54739.scr
- prod_info_42818.pif
- prod_info_33967.cmd
- prod_info_49146.exe
- prod_info_54235.scr
- prod_info_42314.pif
- prod_info_54433.doc.exe
- prod_info_47532.doc.scr
- prod_info_43631.doc.exe
- prod_info_56780.doc.exe
- prod_info_43859.htm.scr
- prod_info_87968.htm.scr
- prod_info_34157.htm.exe
- prod_info_77256.txt.scr
- prod_info_33325.txt.exe
- prod_info_56474.txt.exe
- prod_info_33543.rtf.scr
- prod_info_65642.rtf.scr
- prod_info_55761.rtf.exe
The worm spreads itself in e-mails as a ZIP attachment or as an attachment with one of the above shown names. The infected e-mails sent by the worm look like :
From:
EBay Auctions
or
Yahoo Auctions
or
Amazon automail
or
MSN Auctions
or
QXL Auctions
or
Ebay Auctions
Subject:
Auction successful!
Body:
#----------------- message was sent by automail agent ------------------#
Congratulations!
You were successful in the auction.
Auction ID
Product ID
A detailed description about the product and the bill are attached to this mail.
Please contact the seller immediately
Thank you!
The worm's file is attached to the infected e-mail inside a ZIP archive or as an normal binary file. The following ZIP attachent names are used by the worm:
- prod_info_04155.zip
- prod_info_54234.zip
- prod_info_42313.zip
- prod_info_33462.zip
- prod_info_49541.zip
- prod_info_04650.zip
- prod_info_54739.zip
- prod_info_42818.zip
- prod_info_33967.zip
- prod_info_49146.zip
- prod_info_54235.zip
- prod_info_42314.zip
- prod_info_54433.zip
- prod_info_47532.zip
- prod_info_43631.zip
- prod_info_56780.zip
- prod_info_43859.zip
- prod_info_87968.zip
- prod_info_34157.zip
- prod_info_77256.zip
- prod_info_33325.zip
- prod_info_56474.zip
- prod_info_33543.zip
- prod_info_65642.zip
- prod_info_55761.zip
The worm sends the prepared infectious e-mails to e-mail addresses sourced from the computer. To find these targets, the worm scans files with the following extensions on all available drives (c:-z:) except CD-ROM drives:
- .msg
- .oft
- .sht
- .dbx
- .tbb
- .adb
- .doc
- .wab
- .asp
- .uin
- .rtf
- .vbs
- .html
- .htm
- .pl
- .php
- .txt
- .eml
A recipient has to unpack the worm's attachment from a ZIP archive and run it to get infected.