Threat Description

NetSky.A

Details

Aliases: NetSky.A, I-Worm.Moodown, W32/Netsky.A@mm, Moodown
Category: Malware
Type:
Platform: W32

Summary

Moodown worm was found on 16th of February 2004. Initially it was sent out in numerous seed e-mails. The worm spreads itself in e-mails inside a ZIP archive or as an executable attachment. It also copies itself to shared folders of all available drives. This allows the worm to spread in P2P (peer-to-peer) and local networks.



Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details

Installation to system

When the worm's file is run, it first shows a fake error messagebox:

  Error   The file could not be opened!

Then the worm copies itself to Windows directory with SERVICES.EXE name and creates a startup key for this file in System Registry: 

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "service" = "%windir%\services.exe -serv"

where %windir% represents Windows directory. At the same time the worm also attempts to delete the following key values: 

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "Taskmon"  "Explorer"  "system."  "KasperskyAv"    [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "Taskmon"  "Explorer"    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]  "system."    [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

After that the worm starts looking for e-mail addresses. It scans files with the following extensions on all available drives (c:-z:) except CD-ROM drives: 

  .msg  .oft  .sht  .dbx  .tbb  .adb  .doc  .wab  .asp  .uin  .rtf  .vbs  .html  .htm  .pl  .php  .txt  .eml

If the worm finds a folder with the 'sharing' or 'share' name, it copies itself to that folder with the following names: 

  winxp_crack.exe  dolly_buster.jpg.pif  strippoker.exe  photoshop 9 crack.exe  matrix.scr  porno.scr  angels.pif  hardcore porn.jpg.exe  office_crack.exe  serial.txt.exe  cool screensaver.scr  eminem - lick my pussy.mp3.pif  nero.7.exe  virii.scr  e-book.archive.doc.exe  max payne 2.crack.exe  how to hack.doc.exe  programming basics.doc.exe  e.book.doc.exe  win longhorn.doc.exe  dictionary.doc.exe  rfc compilation.doc.exe  sex sex sex sex.doc.exe  doom2.doc.pif
Spreading in e-mails

When Internet connection is available, the worm starts to spread itself. It creates ZIP archives with its file in Windows directory. The names of these ZIP archives are the same as the names of worm's files inside: 

  prod_info_04155.bat  prod_info_54234.scr  prod_info_42313.pif  prod_info_33462.cmd  prod_info_49541.exe  prod_info_04650.bat  prod_info_54739.scr  prod_info_42818.pif  prod_info_33967.cmd  prod_info_49146.exe  prod_info_54235.scr  prod_info_42314.pif  prod_info_54433.doc.exe  prod_info_47532.doc.scr  prod_info_43631.doc.exe  prod_info_56780.doc.exe  prod_info_43859.htm.scr  prod_info_87968.htm.scr  prod_info_34157.htm.exe  prod_info_77256.txt.scr  prod_info_33325.txt.exe  prod_info_56474.txt.exe  prod_info_33543.rtf.scr  prod_info_65642.rtf.scr  prod_info_55761.rtf.exe

The worm spreads itself in e-mails as a ZIP attachment or as an attachment with one of the above shown names. The infected e-mails sent by the worm look like that: 

From:   EBay Auctions [responder@ebay.com]

or

  Yahoo Auctions [auctions@yahoo.com]

or

Amazon automail [responder@amazon.com]

or

MSN Auctions [auctions@msn.com]

or

QXL Auctions [responder@qxl.com]

or

Ebay Auctions [responder@ebay.com]   Subject:    Auction successful!   Body:    #----------------- message was sent by automail agent ------------------#    Congratulations!    You were successful in the auction.    Auction ID [random number]  Product ID [random number]    A detailed description about the product and the bill  are attached to this mail.  Please contact the seller immediately    Thank you!

The worm's file is attached to the infected e-mail inside a ZIP archive or as an normal binary file. The following ZIP attachent names are used by the worm: 

prod_info_04155.zip  prod_info_54234.zip  prod_info_42313.zip  prod_info_33462.zip  prod_info_49541.zip  prod_info_04650.zip  prod_info_54739.zip  prod_info_42818.zip  prod_info_33967.zip  prod_info_49146.zip  prod_info_54235.zip  prod_info_42314.zip  prod_info_54433.zip  prod_info_47532.zip  prod_info_43631.zip  prod_info_56780.zip  prod_info_43859.zip  prod_info_87968.zip  prod_info_34157.zip  prod_info_77256.zip  prod_info_33325.zip  prod_info_56474.zip  prod_info_33543.zip  prod_info_65642.zip  prod_info_55761.zip

A recipient has to unpack the worm's attachment from a ZIP archive and run it to get infected.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More

SWITCH ON FREEDOM