Email-Worm:W32/NetSky.P

Classification

Category:

Malware

Platform:

W32

Type:

Email-worm

Aliases:

Email-Worm:W32/NetSky.P
Win32.netsky.p@mm

Summary

Email-Worm:W32/Netsky.P mass-mails itself to new victims using both email and by copying itself across local networks (LAN) and Peer-to-Peer (P2P) networks, as well as FTP and HTTP folders.

Removal

Technical Details

The worm's file is spread as a dropper that is a Windows PE executable 29568 bytes long, packed with FSG file. When the dropper is run, it extracts the main worm's file that is 26624 bytes long and is packed with a modified UPX file compressor. That file is a DLL, so Netsky authors started to use a new approach to installing the worm to a system.

Netsky.P continues the ongoing feud with the Bagle worm's author.

Netsky.P was discovered on March 21st, 2004

Installation

Upon execution Netsky.P copies itself as FVPROTECT.EXE file to Windows folder and then extracts the main worm component as USERCONFIG9X.DLL to the same folder. The worm adds a startup key for one of the dropped files into System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Norton Antivirus AV" = "%WinDir%\fvprotect.exe"

where %WinDir% represents Windows folder name. Additionally the worm drops the following files into Windows folder:

zipped.tmp
base64.tmp
zip1.tmp
zip2.tmp
zip3.tmp

These files contain UUEncoded worm's executable file and ZIP archives (3 different variants). These 3 archives contain worm's executables with the following names:

document.txt [lots spaces].exe
data.rtf [lots spaces].scr
details.txt [lots spaces].pif

Activity

NetSky.P worm removes Registry keys of several Bagle worm variants if it finds them on an infected computer. At least the last 9 keys (listed below) belong to earlier Bagle variants.

This worm variant contains another insulting message for the author of Bagle worm.

Registry Changes

NetSky.P deletes the following Registry keys:

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]
[HKLM\System\CurrentControlSet\Services\WksPatch]
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] system. Video
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] system. msgsvr32 winupd.exe direct.exe jijbl Video service DELETE ME Taskmon Explorer
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] OLE Sentry Taskmon Windows Services Host Explorer gouday.exe au.exe direct.exe d3dupdate.exe rate.exe sysmon.exe srate.exe ssate.exe winupd.exe

Propagation (email)

Before spreading in email the worm collects email addresses. It scans all files on all drives from C: to Z: except CD-ROM drives. If any file with the following extensions is found, the worm opens it and searches for email addresses there:

.pl
.htm
.html
.eml
.txt
.php
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.sht
.oft
.msg
.jsp
.wsh
.xml

The worm avoids sending emails to addresses that contain the following substrings:

@microsof
@antivi
@symantec
@spam
@avp
@f-secur
@bitdefender
@norman
@mcafee
@kaspersky
@f-pro
@norton
@fbi
abuse@
@messagel
@skynet
@pandasof
@freeav
@sophos
ntivir
@viruslis
noreply@
spam@
reports@

The worm composes over 30 different types of emails. Subjects, body texts and attachment names are randomly selected from the variants that are hardcoded in the worm's body. These are the variants of the messages that the worm can send out:

Subject:

Re: Hi
Re: Hello

Body:

Please confirm!
Please answer quickly!

Attachment:

detail3.
document_all02c.
summary2004.

----------------- or -----------------

Subject:

Re: Request

Body: Thank you for your request, your details are attached!Thanks! Attachment:

details05.
data02.
all_in_all.

----------------- or -----------------

Subject:

Shocking document
You cannot do that!

Body: I am shocked about your document!Let'us be short: you have no experience in writing letters!!! Attachment:

document05.
your_document.
document_with_notice.

----------------- or -----------------

Subject:

hi
hello

Body: Try this, or nothing!Here is it! Attachment:

document05.
game_xxo.
websites03.

----------------- or -----------------

Subject:

Fwd: Warning again
Notice again

Body: Do not visit this illegal websites!You have downloaded these illegal cracks?.

Attachment:

abuselist.
abuses.
websites01.

----------------- or -----------------

Subject:

Re: List
Re: Question

Body: Here is my icq list.Here is my phone number.

Attachment:

my_list01.
my_numbers.
archive.

----------------- or -----------------

Subject:

Spamed?
Spam

Body: I have visited this website and I found you in the spammer list. Is that true?Are you a spammer? (I found your email on a spammer website!?!) Attachment:

websitelist01.
list_ed.
abuse_list.

----------------- or -----------------

Subject:

0i09u5rug08r89589gjrg

Body: po44u90ugjid-k9z5894z09u049u89gh89fsdpokofkdpbm3-4i Attachment:

id04009.
id43342.
id09509.

----------------- or -----------------

Subject:[random]

Body:[random]

Attachment:

important.
details.
message.

----------------- or -----------------

Subject:

Re: A!p$ghsa
Important m$6h?3p

Body: Please r564g!he4a56a3haafdogu#mfn3oSMTP Error #201 See the ghg5%&6gfz65!4Hf55d!46gfgfServer Error #203 Attachment:

important.
details03.
document07.

----------------- or -----------------

Subject:

Do you?
Does it matter?

Body: Your photo, uahhh.... , you are naked!You have written a very good text, excellent, good work! Attachment:

text01.
details.
d4334938.

----------------- or -----------------

Subject:

News
Information

Body: Your archive is attached.Monthly news report.

Attachment:

news01.
info02.
report01.

----------------- or -----------------

Subject:

I love you!
I cannot forget you!

Body: lovely, :-)your big love, ;-) Attachment:

letter43.
story.
photo.

----------------- or -----------------

Subject:

Re: Proof of concept
Re: Developement

Body: I hope you accept the result!The sample is attached! Attachment:

document09.
part_01.
doc_word3.

----------------- or -----------------

Subject:

Re: Message
Re: Error in document

Body: Your important document, correction is finished!Important message, do not show this anyone! Attachment:

attach.
document.
message.

----------------- or -----------------

Subject:
Re: Free porn
Re: Sex pictures

Body: Here is the website. ;-)My favourite page.

Attachment:

www.freeporn4all.
www.myx4free.

----------------- or -----------------

Subject:

Re: Submit a Virus Sample
Re: Virus Sample

Body: The sample file you sent contains a new virus version of mydoom.j.Please clean your system with the attached signature.Sincerly,Robert Ferrew The sample file you sent contains a new virus version of buppa.k.Please update your virus scanner with the attached dat file.Best Regards,Keria Reynolds Attachment:

signature.
datfiles.

----------------- or -----------------

Subject:

Re: Old times
Re: Old photos

Body:

Greetings from france, your friend.

Have a look at these.

Attachment:

old_photos.
letter.

----------------- or -----------------

Subject:

Postcard
Your day

Body:

Best wishes, your friend. Congratulations!, your best friend.

Attachment:

postcard.
letter.

----------------- or -----------------

Subject:

Re: Sample
Re: Question

Body:

I have corrected your document.
I have attached the sample.

Attachment:

sample01.
doc01.
word_doc.
document04.

----------------- or -----------------

Subject:

Thank you!
Congratulations!

Body:

Your bill is attached to this mail. You were registered to the pay system. For more details see the attachment.

Attachment:

bill.
list.
confirm.
details.

----------------- or -----------------

Subject:

Illegal Website
Internet Provider Abuse

Body:

I noticed that you have visited illegal websites. See the name in the list!
You have visited illegal websites. I have a big list of the websites you surfed.

Attachment:

list.
abuselist.
judge.
readme.
details.

----------------- or -----------------

Subject:

Mail Account
Administrator

Body:

Your mail account is expired. See the details to reactivate it.
Your mail account has been closed. For further details see the document.

Attachment:

account.
readme.
details.

----------------- or -----------------

Subject:

Re: Hi
Re: Its me

Body:

The file is protected with the password ghj001.
I have attached your file. Your password is jkl44563.

Attachment:

document.
document43.
priv.
letter32.
data20.
mails9.
your_doc.
my_details.

----------------- or -----------------

Subject:

Private document
Stolen document

Body:

I found this document about you.
I cannot believe that.

Attachment:

document342.
your_document.
about_you.

----------------- or -----------------

Subject:

Hello
Hi

Body:

Try this game ;-)
I hope the patch works.

Attachment:

game.
patch3425.
application.
software.

----------------- or -----------------

Subject:

Mail Delivery (failure)
Error

Body:

Binary message is available.
Message has been sent as a binary attachment.

Attachment:

message.
msg.
data.
letter.
email.

----------------- or -----------------

Subject:

Re: Is that your document?
Is that your password?

Body:

Can you confirm it?
I have attached it to this mail.

Attachment:

document.
pwd02.
document01.
part6.
private_01.

----------------- or -----------------

Subject:

Re: Approved document
Re: Your document

Body:

Please read the attached file.
Your document is attached.

Attachment:

file.
your_document.
about_you.
document04.
msg.
all_doc01.
document.
approved.
improved.
corrected.

----------------- or -----------------

Subject:

Protected Mail System
Mail Authentication

Body:

Encrypted message is available.
Protected message is attached.

Attachment:

pgp_sess01.
encrypted_msg01.
document.
message.
msg.

----------------- or -----------------

Subject:

Re: Mail Authentification
Re: Delivery Protection
Re: Secure delivery
Re: Protected Mail Delivery
Re: Protected Mail System
Re: Protected Mail Request
Re: Secure SMTP Message
Re: Extended Mail System
Re: Error
Re: Message Error
Re: Administration
Re: Test
Re: Thank you for delivery
Re: Failure
Re: Bad Request
Re: Delivery Server
Re: Mail Server
Re: SMTP Server
Re: Notify
Re: Status
Re: Extended Mail
Re: Encrypted Mail

Body:

Please confirm my request.
ESMTP [Secure Mail System #334]: Secure message is attached.
Partial message is available.
Waiting for a Response. Please read the attachment.
First part of the secure mail is available.
For more details see the attachment.
For further details see the attachment.
Your requested mail has been attached.
Protected Mail System Test.
Secure Mail System Beta Test.
Forwarded message is available.
Delivered message is attached.
Encrypted message is available.
Please read the attachment to get the message.
Follow the instructions to read the message.
Please authenticate the secure message.
Protected message is attached.
Waiting for authentification.
Protected message is available.
Bad Gateway: The message has been attached.
SMTP: Please confirm the attached message.
You got a new message.
Now a new message is available.
New message is available.
You have received an extended message. Please read the instructions.

Attachment:

message.
msg.
details.
data.
document.
readme.

----------------- or -----------------

Subject:

here
hi
hello
thanks!
approved
corrected
patched
improved
important
read it immediately

Body:

Your details.
Your document.
I have received your document. The corrected document is attached.
I have attached your document.
Your document is attached to this mail.
Authentication required.
Requested file.
See the file.
Please read the important document.
Please confirm the document.
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file!
Please see the attached file for details.

Attachment:

your
my
approved
important

combined with the following:

document.
file.
details.
information.
letter.
product.
website.
application.
screensaver.
bill.
word document.
excel document.
data.
message.
text.
document_all.

The [ext] represents the extension that can be single or double. The first extension can be:

[ext].txt
[ext].doc

The second extension can be:

[ext].pif
[ext].exe
[ext].scr

The infected attachment name can contain random numbers and can be sent in a ZIP archive. The worm can add a fake scan report to the end of an infected message. The following variants of scan report are used:

+++ Attachment: No Virus found +++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found +++ Bitdefender AntiVirus - www.bitdefender.com
+++ Attachment: No Virus found +++ MC-Afee AntiVirus - www.mcafee.com
+++ Attachment: No Virus found +++ Kaspersky AntiVirus - www.kaspersky.com
+++ Attachment: No Virus found +++ Panda AntiVirus - www.pandasoftware.com
++++ Attachment: No Virus found ++++ Norman AntiVirus - www.norman.com
++++ Attachment: No Virus found ++++ F-Secure AntiVirus - www.f-secure.com
++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.de

The worm can send messages with an IFrame Exploit that allows the worm's attachment MESSAGE.SCR to be automatically run on certain versions of email clients.

Propagation (LAN, P2P networks, FTP and HTTP folders)

The worm scans all drives from C: to Z: except CD-ROM drives. If it finds folders with any of the following names:

my shared folder
download
ftp
htdocs
http
upload
shar
icq
bear
lime
morpheus
donkey
mule
kazaa
shared files

Then copies itself there multiple times with the following names:

Kazaa Lite 4.0 new.exe
Britney Spears Sexy archive.doc.exe
Kazaa new.exe
Britney Spears porn.jpg.exe
Harry Potter all e.book.doc.exe
Britney sex xxx.jpg.exe
Harry Potter 1-6 book.txt.exe
Britney Spears blowjob.jpg.exe
Harry Potter e book.doc.exe
Britney Spears cumshot.jpg.exe
Harry Potter.doc.exe
Britney Spears fuck.jpg.exe
Harry Potter game.exe
Britney Spears.jpg.exe
Harry Potter 5.mpg.exe
Britney Spears and Eminem porn.jpg.exe
Matrix.mpg.exe
Britney Spears Song text archive.doc.exe
Britney Spears full album.mp3.exe
Eminem.mp3.exe
Britney Spears.mp3.exe
Eminem Song text archive.doc.exe
Eminem Sexy archive.doc.exe
Eminem full album.mp3.exe
Eminem Spears porn.jpg.exe
Ringtones.mp3.exe
Eminem sex xxx.jpg.exe
Ringtones.doc.exe
Eminem blowjob.jpg.exe
Altkins Diet.doc.exe
Eminem Poster.jpg.exe
American Idol.doc.exe
Cloning.doc.exe
Saddam Hussein.jpg.exe
Arnold Schwarzenegger.jpg.exe
Windows 2003 crack.exe
Windows XP crack.exe
Adobe Photoshop 10 crack.exe
Microsoft WinXP Crack full.exe
Teen Porn 15.jpg.pif
Adobe Premiere 10.exe
Adobe Photoshop 10 full.exe
Best Matrix Screensaver new.scr
Porno Screensaver britney.scr
Dark Angels new.pif
XXX hardcore pics.jpg.exe
Microsoft Office 2003 Crack best.exe
Serials edition.txt.exe
Screensaver2.scr
Full album all.mp3.pif
Ahead Nero 8.exe
netsky source code.scr
E-Book Archive2.rtf.exe
Doom 3 release 2.exe
How to hack new.doc.exe
Learn Programming 2004.doc.exe
WinXP eBook newest.doc.exe
Win Longhorn re.exe
Dictionary English 2004 - France.doc.exe
RFC compilation.doc.exe
1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
Keygen 4 all new.exe
Windows 2000 Sourcecode.doc.exe
Norton Antivirus 2005 beta.exe
Gimp 1.8 Full with Key.exe
Partitionsmagic 10 beta.exe
Star Office 9.exe
Magix Video Deluxe 5 beta.exe
Clone DVD 6.exe
MS Service Pack 6.exe
ACDSee 10.exe
Visual Studio Net Crack all.exe
Cracks & Warez Archiv.exe
WinAmp 13 full.exe
DivX 8.0 final.exe
Opera 11.exe
Internet Explorer 9 setup.exe
Smashing the stack full.rtf.exe
Ulead Keygen 2004.exe
Lightwave 9 Update.exe
The Sims 4 beta.exe

This feature allows the worm to spread to local network, to shared folders of P2P (peer-to-peer) clients and to ftp and http server folders (if such servers are present on an infected computer or on computers that have open shares with an infected one). Additionally it allows the worm to copy itself multiple times on a local hard disk.

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.

Email-Worm:W32/NetSky.P

Summary

Removal

Automatic action

Suspect a file is incorrectly detected (a False Positive)?

Technical Details

Installation

Activity

Registry Changes

Propagation (email)

Propagation (LAN, P2P networks, FTP and HTTP folders)

Protect your devices from malware with F‑Secure Total

More Support

Community

User guides

Contact Support

Submit a Sample