Worm:W32/NetSky.X

Classification

Malware

Email-Worm

W32

NetSky.X, W32/NetSky.X@mm, I-Worm.Netsky.y

Summary

NetSky.X worm was discovered on April 20th, 2004.This variant is extremely close to the latest NetSky variants. It shares up to approximately 86% of the code and features in common with NetSky.U.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Netsky.X sends messages in several different languages: English, Swedish, Finnish, Polish, Norwegian, Portuguese, Italian, French, German and possibly the language of some small island called Turks and Caicos, located in the Atlantic ocean. In many cases the messages are composed incorrectly suggesting that the worm's author did not ask native speakers for translation or used an on-line translation service like Babel Fish.

Update on April 23rd, 2004

It looks like the Netsky's author mistyped the domain suffix for Turkey - he put '.tc' instead of '.tr'. We came to that conclusion after verifying that the text that is sent to addresses in .tc domain is in Turkish (word by word translation from dictionary).

The worm's file is a PE executable 26112 bytes long packed with PE-Patch and TeLock file compressors.

Some of the worm's text strings are scrambled using the same algorithm as all the other variants.

Installation to system

Upon execution NetSky.X copies itself as FirewalSrv.exe file to Windows folder and adds a startup key for this file into System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FirewallSvr" = "%WinDir%\FirewallSvr.exe"

where %WinDir% represents Windows folder name.

Spreading in email

Before spreading in email the worm collects email addresses. It scans all files on all drives from C: to Z: except CD-ROM drives. If any file with the following extensions is found, the worm opens it and searches for email addresses there:

.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt

The worm composes two different types of messages. According to whether the destination address is one of the following domains:

.tc
.se
.fi
.pl
.no
.pt
.it
.fr
.de
.xx

It will compose messages in the corresponding language, choosing from the following parts.

Subjects chosen from:

Re: belge
Re: dokumenten
Re: dokumentoida
Re: udokumentowac
Re: dokumentet
Re: original
Re: documento
Re: dokument
Re: document

Bodies chosen from:

mutlu etmek okumak Belgiƫli tanimlik belge.
Behaga lasa dokumenten.
Haluta kuulua dokumentoida.
Podobac sie przeczytac ten udokumentowac.
Behage lese dokumentet.
Leia por favor o original.
Legga prego il documento.
Veuillez lire le document.
Bitte lesen Sie das Dokument.
Please read the document.

Attachment filename:

belge.pif
dokumenten.pif
dokumentoida.pif
udokumentowac.pif
dokumentet.pif
original.pif
documento.pif
dokument.pif
document.pif

Payload

Netsky.X has a payload. It performs a DoS (Denial of Service) attack on the following websites from 28th to 30rd of April 2004:

www.nibis.de
www.medinfo.ufl.edu
www.educa.ch