Home > Threat descriptions >

NetSky.H

Classification

Category: Malware

Type: Email-Worm

Aliases: NetSky.H, W32/NetSky.H@mm, I-Worm.NetSky.h, W32.NetSky.H@mm

Summary


Yet another NetSky worm variant - NetSky.H was found on 5th of March 2004. This variant is very close to NetSky.G variant. It spreads itself in emails as an executable attachment.This worm contains another, but this time less insulting message for the authors of Bagle and Mydoom. And like its previous variants NetSky.H tries to uninstall Bagle worm variants from an infected computer.

Removal


Automatic action

Once detected, the F-Secure security product will automatically handle a harmful program or file by either deleting or renaming it.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Descriptions of all previous NetSky worm variants can be found here:

The worm's file is a PE executable file 22528 bytes long, packed with PE-Pack file compressor. The unpacked file's size is over 28 kilobytes.

On March 8th, 2004 the worm constantly beeps with PC speaker from 11:00 to 11:59. Below is the link to the WAV file with the sound that the worm makes: https://www.f-secure.com/virus-info/v-pics/netsky_d.wav

NetSky.H worm doesn't copy its files to shared folders.

Installation to system

When run, the worm installs itself to system. It copies its file to Windows folder as MAJA.EXE and creates a startup key for this file in System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Antivirus" = "%windir%\maja.exe -antivirus service"

where %windir% represents Windows directory

The worm creates a mutex named "MI[SkyNet.cz]SystemsMutex" to avoid running more than one instance of itself.

Spreading in emails

NetSky.H worm has its own SMTP engine that it uses to send emails with infected attachments to all found email addresses. The worm uses different subjects, message body texts and attachment names in its emails.

The worm scans all available drives except CD-ROM drives for emails. It searches for email addresses in files with the following extensions:

.eml
.txt
.php
.pl
.htm
.html
.vbs
.rtf
.uin
.asp
.wab
.doc
.adb
.tbb
.dbx
.sht
.oft
.msg
.shtm
.cgi
.dhtm

The subject for infected messages is selected from the following list:

Re: Samples
Re: Document
Re: Approved
Re: Here the file
Re: Yours
Re: Your file
Re: Your folder
Re: Your encrypted file
Re: Hi
Re: Hello
Re: Appending
Re: Index
Re: Your data
Re: Your application
Re: Part 2
Re: Part 3
Re: Secound Part
Re: Zipped folder
Re: My details
Re: Your details
Re: Your bill
Re: Your PIN
Re: Your TAN
Re: Your loveletter
Re: Your picture
Re: Your briefing

The message body text for infected messages is selected from the following list:

Your document is attached.
Here is the file.
See the attached file for details.
Please have a look at the attached file...
Please read the attached file.
Your file is attached.

The attachment name for infected messages is selected from the following list:

your_smaples.scr
your_document.scr
document.scr
message_part2.scr
your_document.scr
document_full.scr
your_picture.pif
message_details.scr
your_file.scr
your_picture.scr
document_4351.scr
yours.scr
mp3music.scr
application.scr
all_document.scr
my_details.scr
document_excel.scr
document_word.scr
my_details.scr
your_details.scr
your_bill.scr
your_pin_88.scr
your_tan_33.scr
your_letter.scr
your_pic.scr
your_briefing.scr

The worm avoids sending emails to email addresses that contain any of the following substrings:

icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abus
messagelabs
skynet
andasoftwa
freeav
sophos
antivir
iruslis
Deleting Registry keys and disinfecting Bagle worm

The NetSky.H worm variant of the worm deletes the following Registry keys:

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32] [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF] [HKLM\System\CurrentControlSet\Services\WksPatch] [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
system. [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KasperskyAv
Explorer
Taskmon
system.
msgsvr32
DELETE ME
service
Sentry
Windows Services Host [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KasperskyAv
Explorer
OLE
Windows Services Host
d3dupdate.exe
au.exe
sysmon.exe
rate.exe
gouday.exe
sate.exe
ssate.exe
srate.exe

NetSky.H worm removes Registry keys of several Bagle worm variants if it finds them on an infected computer. At least the last 8 keys listed above belong to earlier Bagle variants.