NetSky.G

Threat description

Details

CATEGORYMalware
TYPEEmail-Worm

Summary

Another NetSky worm variant - NetSky.G was found on 4th of March 2004. This variant spreads itself in e-mails as an executable attachment.This worm contains another insulting message for the authors of Bagle and Mydoom worms and a proposal to meet in person in some location in the USA. The location name is encrypted.Like its previous variants NetSky.G tries to uninstall Bagle worm variants from an infected computer.

Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Technical Details

Descriptions of all previous NetSky worm variants can be found here:

The worm's file is a PE executable file about 27 kilobytes long, packed with PE-Patch and TELock file compressors. The unpacked file's size is over 31 kilobytes.

On March 10th, 2004 the worm constantly beeps with PC speaker from 6:00 to 8:59. Below is the link to the WAV file with the sound that the worm makes: https://www.f-secure.com/virus-info/v-pics/netsky_d.wav

NetSky.G worm doesn't copy its files to shared folders.

Installation to system

When run, the worm installs itself to system. It copies its file to Windows folder as AVGUARD.EXE and creates a startup key for this file in System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Special Firewall Service" = "%windir%\avguard.exe -av service"

where %windir% represents Windows directory

The worm creates a mutex named "Netsky AV Guard" to avoid running more than one instance of itself.

Spreading in e-mails

NetSky.G worm has its own SMTP engine that it uses to send emails with infected attachments to all found e-mail addresses. The worm uses different subjects, message body texts and attachment names in its e-mails.

The worm scans all available drives except CD-ROM drives for e-mails. It searches for e-mail addresses in files with the following extensions:

.eml
.txt
.php
.pl
.htm
.html
.vbs
.rtf
.uin
.asp
.wab
.doc
.adb
.tbb
.dbx
.sht
.oft
.msg
.shtm
.cgi
.dhtm

The subject for infected messages is selected from the following list:

Re: Document
Re: Re: Document
Re: Re: Thanks!
Re: Thanks!
Re: Your document
Re: Here is the document
Re: Your picture
Re: Re: Message
Re: Hi
Re: Hello
Re: Re: Re: Your document
Re: Here
Re: Your music
Re: Your software
Re: Approved
Re: Details
Re: Excel file
Re: Word file
Re: My details
Re: Your details
Re: Your bill
Re: Your text
Re: Your archive
Re: Your letter
Re: Your product
Re: Your website

The message body text for infected messages is selected from the following list:

Your document is attached.
Here is the file.
See the attached file for details.
Please have a look at the attached file.
Please read the attached file.
Your file is attached.

The attachment name for infected messages is selected from the following list:

your_document.pif
your_document.pif
document.pif
message_part2.pif
your_document.pif
document_full.pif
your_picture.pif
message_details.pif
your_file.pif
your_picture.pif
document_4351.pif
yours.pif
mp3music.pif
application.pif
all_document.pif
my_details.pif
document_excel.pif
document_word.pif
my_details.pif
your_details.pif
your_bill.pif
your_text.pif
your_archive.pif
your_letter.pif
your_product.pif
your_website.pif

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
andasoftwa
freeav
sophos
antivir
iruslis
Deleting Registry keys and disinfecting Bagle worm

The NetSky.G worm variant of the worm deletes the following Registry keys:

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32] [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF] [HKLM\System\CurrentControlSet\Services\WksPatch] [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
system. [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KasperskyAv
Explorer
Taskmon
system.
msgsvr32
DELETE ME
service
Sentry
Windows Services Host [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KasperskyAv
Explorer
OLE
Windows Services Host
d3dupdate.exe
au.exe
sysmon.exe
rate.exe
gouday.exe
sate.exe
ssate.exe
srate.exe

NetSky.G worm removes Registry keys of several Bagle worm variants if it finds them on an infected computer. At least the last 8 keys listed above belong to earlier Bagle variants.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info