Threat Description

NetSky.H

Details

Aliases: NetSky.H, W32/NetSky.H@mm, I-Worm.NetSky.h, W32.NetSky.H@mm
Category: Malware
Type: Email-Worm
Platform: W32

Summary


Yet another NetSky worm variant - NetSky.H was found on 5th of March 2004. This variant is very close to NetSky.G variant. It spreads itself in e-mails as an executable attachment.This worm contains another, but this time less insulting message for the authors of Bagle and Mydoom. And like its previous variants NetSky.H tries to uninstall Bagle worm variants from an infected computer.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details


Descriptions of all previous NetSky worm variants can be found here:

The worm's file is a PE executable file 22528 bytes long, packed with PE-Pack file compressor. The unpacked file's size is over 28 kilobytes.

On March 8th, 2004 the worm constantly beeps with PC speaker from 11:00 to 11:59. Below is the link to the WAV file with the sound that the worm makes: https://www.f-secure.com/virus-info/v-pics/netsky_d.wav

NetSky.H worm doesn't copy its files to shared folders.

Installation to system

When run, the worm installs itself to system. It copies its file to Windows folder as MAJA.EXE and creates a startup key for this file in System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "Antivirus" = "%windir%\maja.exe -antivirus service"  

where %windir% represents Windows directory

The worm creates a mutex named "MI[SkyNet.cz]SystemsMutex" to avoid running more than one instance of itself.

Spreading in e-mails

NetSky.H worm has its own SMTP engine that it uses to send emails with infected attachments to all found e-mail addresses. The worm uses different subjects, message body texts and attachment names in its e-mails.

The worm scans all available drives except CD-ROM drives for e-mails. It searches for e-mail addresses in files with the following extensions:

.eml  .txt  .php  .pl  .htm  .html  .vbs  .rtf  .uin  .asp  .wab  .doc  .adb  .tbb  .dbx  .sht  .oft  .msg  .shtm  .cgi  .dhtm  

The subject for infected messages is selected from the following list:

Re: Samples  Re: Document  Re: Approved  Re: Here the file  Re: Yours  Re: Your file  Re: Your folder  Re: Your encrypted file  Re: Hi  Re: Hello  Re: Appending  Re: Index  Re: Your data  Re: Your application  Re: Part 2  Re: Part 3  Re: Secound Part  Re: Zipped folder  Re: My details  Re: Your details  Re: Your bill  Re: Your PIN  Re: Your TAN  Re: Your loveletter  Re: Your picture  Re: Your briefing  

The message body text for infected messages is selected from the following list:

Your document is attached.  Here is the file.  See the attached file for details.  Please have a look at the attached file...  Please read the attached file.  Your file is attached.  

The attachment name for infected messages is selected from the following list:

your_smaples.scr  your_document.scr  document.scr  message_part2.scr  your_document.scr  document_full.scr  your_picture.pif  message_details.scr  your_file.scr  your_picture.scr  document_4351.scr  yours.scr  mp3music.scr  application.scr  all_document.scr  my_details.scr  document_excel.scr  document_word.scr  my_details.scr  your_details.scr  your_bill.scr  your_pin_88.scr  your_tan_33.scr  your_letter.scr  your_pic.scr  your_briefing.scr  

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

icrosoft  antivi  ymantec  spam  avp  f-secur  itdefender  orman  cafee  aspersky  f-pro  orton  fbi  abus  messagelabs  skynet  andasoftwa  freeav  sophos  antivir  iruslis  
Deleting Registry keys and disinfecting Bagle worm

The NetSky.H worm variant of the worm deletes the following Registry keys:

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32] [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF] [HKLM\System\CurrentControlSet\Services\WksPatch] [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]  system. [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  KasperskyAv  Explorer  Taskmon  system.  msgsvr32  DELETE ME  service  Sentry  Windows Services Host [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  KasperskyAv  Explorer  OLE  Windows Services Host  d3dupdate.exe  au.exe  sysmon.exe  rate.exe  gouday.exe  sate.exe  ssate.exe  srate.exe  

NetSky.H worm removes Registry keys of several Bagle worm variants if it finds them on an infected computer. At least the last 8 keys listed above belong to earlier Bagle variants.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More