Threat Description

NetSky.C

Details

Aliases: NetSky.C, I-Worm.Moodown.C, W32/Netsky.C@mm, Moodown.C, Worm.Somefool, I-Worm.NetSky.c
Category: Malware
Type: Email-Worm
Platform: W32

Summary


Netsky.C (also known as Moodown.C) worm was found on 25th of February 2004. This variant has been improved comparing to previous variants of the worm. Netsky.C spreads itself in e-mails inside a ZIP archive or as an executable attachment. It also copies itself to shared folders of all available drives. This allows the worm to spread in P2P (peer-to-peer) and local networks.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details


Descriptions of previous NetSky variants can be found here:

The differences between Netsky.C variant and the previous variants of the worm are as follows:

  • We received several differently packed variants of Moodown.C worm. First two variants are packed with Petite file compressor and one of those is 1 byte longer that another. The third variant is packed with ASPack file compressor while the forth variant is packed with UPX file compressor.
  • The worm doesn't show an error messagebox when run for the first time.
  • On February 26th, 2004 the worm constantly beeps with PC speaker from 6:00 to 8:59. Below is the link to the WAV file with the sound that the worm makes: https://www.f-secure.com/virus-info/v-pics/netsky_d.wav
  • The worm installs itself as WINLOGON.EXE file to Windows folder and creates a startup key for this file in the Registry:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "ICQ Net" = "%windir%\winlogon.exe -stealth"  
    where %windir% represents Windows directory.
  • In addition to deleting MyDoom startup keys in the Registry, the worm deletes the following keys:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]  msgsvr32  DELETE ME  service  Sentry  Windows Services Host [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]  d3dupdate.exe  au.exe  OLE  Windows Services Host [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF] [HKLM\System\CurrentControlSet\Services\WksPatch]  
  • The worm has a longer list of file extensions that it uses to look for e-mail addresses:
    .eml  .txt  .php  .pl  .htm  .html  .vbs  .rtf  .uin  .asp  .wab  .doc  .adb  .tbb  .dbx  .sht  .oft  .msg  .shtm  .cgi  .dhtm  
  • The worm avoids sending e-mails to addresses that contain the following strings:
    icrosoft  antivi  ymantec  spam  avp  f-secur  itdefender  orman  cafee  aspersky  f-pro  orton  fbi  abuse  
  • If the worm finds a folder that has the 'shar' substring in its name on any of drives from C: to Z: (except CD-ROM drives), it copies itself to that folder with one of the following names:
    Microsoft WinXP Crack.exe  Teen Porn 16.jpg.pif  Adobe Premiere 9.exe  Adobe Photoshop 9 full.exe  Best Matrix Screensaver.scr  Porno Screensaver.scr  Dark Angels.pif  XXX hardcore pic.jpg.exe  Microsoft Office 2003 Crack.exe  Serials.txt.exe  Screensaver.scr  Full album.mp3.pif  Ahead Nero 7.exe  Virii Sourcecode.scr  E-Book Archive.rtf.exe  Doom 3 Beta.exe  How to hack.doc.exe  Learn Programming.doc.exe  WinXP eBook.doc.exe  Win Longhorn Beta.exe  Dictionary English - France.doc.exe  RFC Basics Full Edition.doc.exe  1000 Sex and more.rtf.exe  3D Studio Max 3dsmax.exe  Keygen 4 all appz.exe  Windows Sourcecode.doc.exe  Norton Antivirus 2004.exe  Gimp 1.5 Full with Key.exe  Partitionsmagic 9.0.exe  Star Office 8.exe  Magix Video Deluxe 4.exe  Clone DVD 5.exe  MS Service Pack 5.exe  ACDSee 9.exe  Visual Studio Net Crack.exe  Cracks & Warez Archive.exe  WinAmp 12 full.exe  DivX 7.0 final.exe  Opera.exe  IE58.1 full setup.exe  Smashing the stack.rtf.exe  Ulead Keygen.exe  Lightwave SE Update.exe  The Sims 3 crack.exe  
  • The subjects of infected messages sent by the worm can be:
    Delivery Failed  Status  report  question  trust me  hey  Re: excuse me  read it immediatelly  hi  Re: does it?  Yep  important  hello  ear  Re: unknown  fake?  warning  moin  what's up?  info  Re: information  Here is it  stolen  private?  good morning  illegal...  error  take it  re:  Re: Re: Re: Re:  you?  something for you  exception  Re: hey  excuse me  Re: hi  Re: does it?  Re: important  Re: hello  believe me  Question  denied!  notification  Re: <5664ddff?$??ยง2>  lol  last chance!  I'm back!  its me  notice!  oh  
  • The infected message body text can be the following:
          what means that?  help attached  <...>  ok...    that is interesting...  i wait for your comment about it.  such as yours?  read the details.  gonna?  here is the document.  *lol*  read it immediately!  i found that about you!  your hero in the picture?  yours?  here is it.  illegal st. of you?  is that true?  account?  is that your name?  picture?  message?  is that your account?  pwd?  I wait for an answer!  abuse?  is that yours?  you are a bad writer  I don't know your document!    I have your password!  you won the rk!  something about you!  classroom test of you?  kill the writer of this document!  old photos about you?  i hope thats not true!  your name is wrong!  does it match?  i found this document about you.  time to fear?  really?  do you know this????  i know your document!  did you sent it to me?  this file is bad!  why should I?  pages?  her.  another pic, have fun! ... :->  test it  child porn?  greetings  xxx ?  stuff about you?  your document is not good  something is going wrong!  your photo is poor  information about you?  the information is wrong!  doc about me?  kill him on the picture!  from the chatter (my photo!)  from your lover ;-)  love letter?  here, the serials  are you a teacherin the picture?  here, the introduction  is that criminal?  here, the cheats  i like your doc!  what do you think about it?  that's a funny text.  that's not the truth?  do you have?  instruct me about this!  i lost that  i am speachless about your document!  is that the reality?  reply  msg  your design is not good!  important?  your TAN number?  take it easy!  why?  you are naked in this document!  thats wrong!  your icq number?  i am desperate  modifications?  your personal record?  yes.  misc. and so on. see you!  your attachment? verify it.  you earn money, see the attachment!  is that your attachment?  is that your website?  you feel the same.  meaning of that?  possible?  you have tried to steal!  did you ask me for that?  you are bad  your job? (I found that!)  is that possible?  something is going ...  something is not ok  did you know from this document?  wrong calculation! (see the attachment!)  never!  poor quality!  good work!  excellent!  great!  i don't think so.  pretty pic about you?  docs?  schoolfriend?    <09580985869gj>    only encrypted!  personal message!  my advice....  i've found it about you  <<>>      great xxx!  man or women?  child or adult?  here is yours!  a crazy doc about you  xxx about you?  i don't want your xxx pics!      doc?  trial?  what?  ;-)  i need you!  correct it!  see this!  it's a secret!  this is nothing for kids!  it's so similar as yours!  is that your car?  do not give up!  great job!  here is the $%%454$  you are sexy in this doc!  incest?  let it!  you look like an ape!  you look like an rat?  be mad?  are you cranky?  bob the builder  did you know that?  money?  is that your car?  is this information about you?  is that your privacy?  is that your TAN?  is that your message?  is that your cd?  is that your finger?  your are naked?  is that your porn pic?  is that your work?  is that your family?  is that your beast?  is that your account?  is that your slip?  is that your domain?  are you the naked one?  are you the naked person!  are you the one?  does it belong to you?  do you have sex in the picture?  you have a sexy body in the pic!  your lie is going around the world!      lets talk about it!  do you know the thief?  are you a photographer?  you have done a mistake in the document!  its private from me  do not show this anyone!  new patch is available!  this is an attachment message!  in your mind?  Microsoft  fast food...  Your bill.  try this patch!  do you have an orgasm in the picture?      Transaction failed. Show the doc!  I 've found your bill!  see your name!  You are infected. Read the details!  here is my advice.  here is my photo!  here is the   feel free to use it.  does it belong to you?  Login required! Read the attachment!  your document is silly!  is the pic a fake?  Antispam is turned off. See file!  Authentification required. Read the attachment  solve the problem!    do not use my document!  do not open the attachment!  do not visit the pages on the list I sent!  explain!  tell me more about your document!  Your provider will be disabled!  Instant patches.  
  • The infected attachment names are randomly selected from the following list:
    document  associal  msg  yours  doc  wife  talk  message  response  creditcard  description  details  attachment  pic  me  trash  card  stuff  poster  posting  portmoney  textfile  moonlight  concert  sexy  information  news  note  number_phone  bill  mydate  swimmingpool  class_photos  product  old_photos  topseller  ps  important  shower  myaunt  aboutyou  yours  nomoney  birth  found  death  story  worker  mails  letter  more  website  regards  regid  friend  unfolds  jokes  doc_ang  your_stuff  location  454543403  final  schock  release  webcam  dinner  intimate stuff  sexual  ranking  object  secrets  mail2  attach2  part2  msg2  disco  freaky  visa  party  material  misc  nothing  transfer  auction  warez  undefinied  violence  update  masturbation  injection  naked1  naked2  tear  music  paypal  id  privacy  word_doc  image  incest  

The worm can compose the attachment name from several parts listed above.

Like in the previous variants, the worm can use one or two extensions for its attachments. For the first extension the worm uses the following:

.txt  .rtf  .doc  .htm  

For the second extension the worm uses the following:

.exe  .scr  .com  .pif  

The worm spreads itself in e-mails as a ZIP attachment or as an attachment with one of the above shown names.

The worm's file is attached to the infected e-mail inside a ZIP archive or as an normal binary file. A recipient has to unpack the worm's attachment from a ZIP archive and to run it or to run an executable attachment to get infected.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More