Home > Threat descriptions >

NetSky.D

Classification

Category: Malware

Type: Email-Worm

Aliases: NetSky.D, W32/Netsky.D@mm, Somefool, I-Worm.NetSky.d

Summary


A new variant of Netsky worm - Netsky.D was found on March 1st, 2004 and is spreading fast in the wild. This worm variant lacks many text strings that were present in NetSky.C variant and it does not copy itself to shared folders. Netsky.D spreads itself in emails as an executable attachment only.

Removal


Automatic action

Once detected, the F-Secure security product will automatically handle a harmful program or file by either deleting or renaming it.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Descriptions of previous NetSky variants can be found here:

The differences between Netsky.D variant and the previous variants of the worm are as follows:

  • The worm's file is packed with Petite file compressor and is 17424 bytes long. The unpacked file's size is about 28 kilobytes.
  • The worm doesn't show an error messagebox when run for the first time.
  • On March 2nd, 2004 the worm constantly beeps with PC speaker from 6:00 to 8:59. Below is the link to the WAV file with the sound that the worm makes: https://www.f-secure.com/virus-info/v-pics/netsky_d.wav

Here's a screenshot of the worm's file contents with a message from its creators:

Like the previous variant, the NetSky.D variant installs itself as WINLOGON.EXE file to Windows folder and creates a startup key for this file in the Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICQ Net" = "%windir%\winlogon.exe -stealth"

where %windir% represents Windows directory.

The NetSky.D variant of the worm deletes the following Registry keys:

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32] [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF] [HKLM\System\CurrentControlSet\Services\WksPatch] [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KasperskyAv
Explorer
Taskmon
system.
msgsvr32
DELETE ME
service
Sentry
Windows Services Host [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KasperskyAv
Explorer
d3dupdate.exe
au.exe
OLE
Windows Services Host [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
system.

The worm has the same list of file extensions that it uses to look for email addresses. Files with these extensions are searched on all drives from C: to Z: except CD-ROM drives. Here's the list of file extensions that the worm uses:

.eml
.txt
.php
.pl
.htm
.html
.vbs
.rtf
.uin
.asp
.wab
.doc
.adb
.tbb
.dbx
.sht
.oft
.msg
.shtm
.cgi
.dhtm

Like its previous variants, this worm variant avoids sending emails to addresses that contain the following strings:

icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet

The subjects of infected messages sent by the worm can be one of the following:

Re: Document
Re: Re: Document
Re: Re: Thanks!
Re: Thanks!
Re: Your document
Re: Here is the document
Re: Your picture
Re: Re: Message
Re: Hi
Re: Hello
Re: Re: Re: Your document
Re: Here
Re: Your music
Re: Your software
Re: Approved
Re: Details
Re: Excel file
Re: Word file
Re: My details
Re: Your details
Re: Your bill
Re: Your text
Re: Your archive
Re: Your letter
Re: Your product
Re: Your website

The infected message body text can be the following:

Your document is attached.
Here is the file.
See the attached file for details.
Please have a look at the attached file.
Please read the attached file.
Your file is attached.

The infected attachment names are randomly selected from the following list:

your_document.pif
your_document.pif
document.pif
message_part2.pif
your_document.pif
document_full.pif
your_picture.pif
message_details.pif
your_file.pif
your_picture.pif
document_4351.pif
yours.pif
mp3music.pif
application.pif
all_document.pif
my_details.pif
document_excel.pif
document_word.pif
my_details.pif
your_details.pif
your_bill.pif
your_text.pif
your_archive.pif
your_letter.pif
your_product.pif
your_website.pif

The worm doesn't use any exploits to make its file run automatically on recipients' systems. A recipient has to run the executable attachment to get infected.