Worm:W32/Netsky

Classification

Malware

Worm

W32

Moodown, Netsky.A, W32/Netsky.A@mm, Netsky, I-Worm.Moodown

Summary

Worm:W32/Netsky refers to a large family of worms which spread in infectious files attached to fake email messages. Netsky was originally named Moodoom, or I-Worm.Moodoom.

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Community

Find the latest advice in our Community.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The details below describe the Netsky.A variant; this variant was first found on 16th of February 2004.

Netsky.A was initially sent out in numerous seed emails. The worm spreads itself inside a ZIP archive file attached to email messages or as an executable attachment.

Netsky.A also copies itself to the shared folders of all available drives, allowing it to spread in peer-to-peer (P2P) and local networks.

Installation

When the worm's file is run, it first shows a fake error message box:

Error

The file could not be opened!

Then the worm copies itself to Windows directory with SERVICES.EXE name and creates a startup key for this file in System Registry:

  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "service" = "%windir%\services.exe -serv"

where %windir% represents Windows directory

At the same time the worm also attempts to delete the following key values:

  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Taskmon" "Explorer" "system." "KasperskyAv"
  • [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Taskmon" "Explorer"
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "system."
  • [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

Propagation (Local)

If the worm finds a folder with the 'sharing' or 'share' name, it copies itself to that folder with the following names:

  • winxp_crack.exe
  • dolly_buster.jpg.pif
  • strippoker.exe
  • photoshop 9 crack.exe
  • matrix.scr
  • porno.scr
  • angels.pif
  • hardcore porn.jpg.exe
  • office_crack.exe
  • serial.txt.exe
  • cool screensaver.scr
  • eminem - lick my pussy.mp3.pif
  • nero.7.exe
  • virii.scr
  • e-book.archive.doc.exe
  • max payne 2.crack.exe
  • how to hack.doc.exe
  • programming basics.doc.exe
  • e.book.doc.exe
  • win longhorn.doc.exe
  • dictionary.doc.exe
  • rfc compilation.doc.exe
  • sex sex sex sex.doc.exe
  • doom2.doc.pif

Propagation (email)

When Internet connection is available, the worm starts to spread itself. It creates ZIP archives with its file in Windows directory. The names of these ZIP archives are the same as the names of worm's files inside:

  • prod_info_04155.bat
  • prod_info_54234.scr
  • prod_info_42313.pif
  • prod_info_33462.cmd
  • prod_info_49541.exe
  • prod_info_04650.bat
  • prod_info_54739.scr
  • prod_info_42818.pif
  • prod_info_33967.cmd
  • prod_info_49146.exe
  • prod_info_54235.scr
  • prod_info_42314.pif
  • prod_info_54433.doc.exe
  • prod_info_47532.doc.scr
  • prod_info_43631.doc.exe
  • prod_info_56780.doc.exe
  • prod_info_43859.htm.scr
  • prod_info_87968.htm.scr
  • prod_info_34157.htm.exe
  • prod_info_77256.txt.scr
  • prod_info_33325.txt.exe
  • prod_info_56474.txt.exe
  • prod_info_33543.rtf.scr
  • prod_info_65642.rtf.scr
  • prod_info_55761.rtf.exe

The worm spreads itself in emails as a ZIP attachment or as an attachment with one of the above shown names. The infected emails sent by the worm look like :

From:
EBay Auctions
or
Yahoo Auctions
or
Amazon automail
or
MSN Auctions
or
QXL Auctions
or
Ebay Auctions
Subject:
Auction successful!
Body:
#----------------- message was sent by automail agent ------------------#
Congratulations!
You were successful in the auction.
 Auction ID [random number] Product ID [random number] A detailed description about the product and the bill are attached to this mail.
 Please contact the seller immediately
Thank you!

The worm's file is attached to the infected email inside a ZIP archive or as an normal binary file. The following ZIP attachent names are used by the worm:

  • prod_info_04155.zip
  • prod_info_54234.zip
  • prod_info_42313.zip
  • prod_info_33462.zip
  • prod_info_49541.zip
  • prod_info_04650.zip
  • prod_info_54739.zip
  • prod_info_42818.zip
  • prod_info_33967.zip
  • prod_info_49146.zip
  • prod_info_54235.zip
  • prod_info_42314.zip
  • prod_info_54433.zip
  • prod_info_47532.zip
  • prod_info_43631.zip
  • prod_info_56780.zip
  • prod_info_43859.zip
  • prod_info_87968.zip
  • prod_info_34157.zip
  • prod_info_77256.zip
  • prod_info_33325.zip
  • prod_info_56474.zip
  • prod_info_33543.zip
  • prod_info_65642.zip
  • prod_info_55761.zip

The worm sends the prepared infectious emails to email addresses sourced from the computer. To find these targets, the worm scans files with the following extensions on all available drives (c:-z:) except CD-ROM drives:

  • .msg
  • .oft
  • .sht
  • .dbx
  • .tbb
  • .adb
  • .doc
  • .wab
  • .asp
  • .uin
  • .rtf
  • .vbs
  • .html
  • .htm
  • .pl
  • .php
  • .txt
  • .eml

A recipient has to unpack the worm's attachment from a ZIP archive and run it to get infected.