Virus:Worm/NetSky.P
Date discovered:21/03/2004
Type:Worm
In the wild:Yes
Reported Infections:Medium to high
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:50.688 Bytes
MD5 checksum:04ad0c4ec6b2a96d4ba6fd52fb015d9d
VDF version:6.24.00.65

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Netsky.P@mm
   •  Mcafee: W32/Netsky.p@MM
   •  Kaspersky: Email-Worm.Win32.NetSky.q
   •  TrendMicro: WORM_NETSKY.P
   •  F-Secure: Email-Worm.Win32.NetSky.q
   •  Sophos: W32/Netsky-P
   •  Panda: W32/Netsky.P.worm
   •  Grisoft: I-Worm/Netsky.Q
   •  VirusBuster: I-Worm.Netsky.Q1
   •  Eset: Win32/Netsky.Q worm
   •  Bitdefender: Win32.Netsky.P@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Drops a malicious file
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\fvprotect.exe



The following files are created:

– It creates the following archive containing a copy of the malware:
   • %WINDIR%\zipped.tmp

– MIME encoded copies of itself:
   • %WINDIR%\zip1.tmp
   • %WINDIR%\zip2.tmp
   • %WINDIR%\zip3.tmp
   • %WINDIR%\base64.tmp

%WINDIR%\userconfig9x.dll Further investigation pointed out that this file is malware, too.

 Registry – HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Norton Antivirus AV"="%WINDIR%\FVProtect.exe"



The values of the following registry key are removed:

–  HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run
   • "norton antivirus av"
   • "explorer"
   • "system."
   • "msgsvr32"
   • "au.exe"
   • "winupd.exe"
   • "direct.exe"
   • "jijbl"
   • "Video"
   • "Service"
   • "DELETE ME"
   • "d3dupdate.exe"
   • "OLE"
   • "sentry"
   • "gouday.exe"
   • "rate.exe"
   • "taskmon"
   • "Windows Services Host"
   • "sysmon.exe"
   • "ssrate.exe"
   • "winupd.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.


Subject:
One of the following:
   • Re:approved; approved bil; Re:Approved document; Re:Bad request;
      Re:Bill; data; Re:Delivery Server; Do you?; Does it matter?;
      Re:Encrypted Mail; Re:Error; Re:Error in document; Re:Failure;
      Re:file; Re:Free porn; Re:hello; Re:here; Re:Hi; Hi; I cannot forget
      you!; important data; Internet Provider Abuse; Is that your password?;
      Re:Its me; Re:List; Re:Message Error; Re:my bill; Re:my data;
      Re:Order; Postcard; Re:Proof of concept; Re:Protected Mail Delivery;
      Protected Mail System; Re:Protected Mail system; Re:Question;
      Re:Request; Re:Sample; Re:Secure SMTP Message; Shocking document;
      Fw:Warning again; Re:Status; Your day; Re:Your document; Re:your
      document_all

In some cases the subject might also be empty.


Body:
The body of the email is one of the following:

   • I noticed that you have visited illegal websites.
     See the name in the list!

   • Important message, do not show this anyone!
     your big love, ;-)

   • Thanks!
     Protected message is attached.

   • Congratulations!,
      your best friend.

   • Best wishes,
      your friend.

   • Your document is attached.

   • See the file.

   • Please see the attached file for details.

   • Your document is attached to this mail.

   • SMTP: Please confirm the attached message.

   • You have written a very good text, excellent, good work!

   • Your photo, uahhh.... , you are naked!

   • You have received an extended message. Please read the instructions.

   • Partial message is available.

   • Waiting for authentification.

   • I hope the patch works.

   • Here is the website. ;-)

   • Your file is attached.

   • Do not visit this illegal websites!

   • Delivered message is attached.

   • I cannot believe that.

   • I am shocked about your document!

   • Please authenticate the secure message

   • I have corrected your document.

   • Here is my icq list.

   • You got a new message.

   • I hope you accept the result!

   • Important message, do not show this anyone!

   • Please read the document.


Attachment:
The filename of the attachment is constructed out of the following:

–  It starts with one of the following:
   • important
   • details
   • information
   • corrected
   • bill
   • after_you
   • message
   • readme.txt
   • data
   • text
   • details
   • document
   • software
   • game
   • archive
   • postcard
   • msg
   • bill
   • text
   • application
   • www.freeporn4all
   • text01
   • letter
   • private
   • excel document

Sometimes continued by one of the following:
   • _

    Sometimes continued by random characters or by one of the following:
   • %several random digits%

    Sometimes continued by one of the following fake extensions:
   • pif
   • zip
   • doc
   • scr
   • txt

    The file extension is one of the following:
   • .exe
   • .zip



Here are a few examples of how the filename of the attachment might look like:
   • application.txt           .exe
   • msg.scr

The attachment is a copy of the malware itself.



The email may look like one of the following:



 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  


   It searches for directories that contain one of the following substrings:
   • share
   • upload
   • download
   • ftp

   If successful, the following files are created:
   • Kazaa Lite 4.0 new.exe; Britney Spears Sexy archive.doc.exe; Kazaa
      new.exe; Britney Spears porn.jpg.exe; Harry Potter all e.book.doc.exe;
      Britney sex xxx.jpg.exe; Harry Potter 1-6 book.txt.exe; Britney Spears
      blowjob.jpg.exe; Harry Potter e book.doc.exe; Britney Spears
      cumshot.jpg.exe; Harry Potter.doc.exe; Harry Potter game.exe; Britney
      Spears fuck.jpg.exe; Britney Spears.jpg.exe; Harry Potter 5.mpg.exe;
      Britney Spears and Eminem porn.jpg.exe; Matrix.mpg.exe; Britney Spears
      Song text archive.doc.exe; Britney Spears full album.mp3.exe;
      Eminem.mp3.exe; Britney Spears.mp3.exe; Eminem Song text
      archive.doc.exe; Eminem Sexy archive.doc.exe; Eminem full
      album.mp3.exe; Eminem Spears porn.jpg.exe; Ringtones.mp3.exe; Eminem
      sex xxx.jpg.exe; Ringtones.doc.exe; Eminem blowjob.jpg.exe; Altkins
      Diet.doc.exe; Eminem Poster.jpg.exe; American Idol.doc.exe;
      Cloning.doc.exe; Saddam Hussein.jpg.exe; Arnold
      Schwarzenegger.jpg.exe; Windows 2003 crack.exe; Windows XP crack.exe;
      Adobe Photoshop 10 crack.exe; Microsoft WinXP Crack full.exe; Teen
      Porn 15.jpg.pif; Adobe Premiere 10.exe; Adobe Photoshop 10 full.exe;
      Best Matrix Screensaver new.scr; Porno Screensaver britney.scr; Dark
      Angels new.pif; XXX hardcore pics.jpg.exe; Microsoft Office 2003 Crack
      best.exe; Serials edition.txt.exe; Screensaver2.scr; Full album
      all.mp3.pif; Ahead Nero 8.exe; netsky source code.scr; E-Book
      Archive2.rtf.exe; Doom 3 release 2.exe; How to hack new.doc.exe; Learn
      Programming 2004.doc.exe; WinXP eBook newest.doc.exe; The Sims 4
      beta.exe; Win Longhorn re.exe; Dictionary English 2004 -
      France.doc.exe; RFC compilation.doc.exe; 1001 Sex and more.rtf.exe; 3D
      Studio Max 6 3dsmax.exe; Keygen 4 all new.exe; Windows 2000
      Sourcecode.doc.exe; Norton Antivirus 2005 beta.exe; Gimp 1.8 Full with
      Key.exe; Partitionsmagic 10 beta.exe; Star Office 9.exe; Magix Video
      Deluxe 5 beta.exe; Clone DVD 6.exe; MS Service Pack 6.exe; ACDSee
      10.exe; Visual Studio Net Crack all.exe; Cracks & Warez Archiv.exe;
      WinAmp 13 full.exe; DivX 8.0 final.exe; Opera 11.exe; Internet
      Explorer 9 setup.exe; Smashing the stack full.rtf.exe; Ulead Keygen
      2004.exe; Lightwave 9 Update.exe

   These files are copies of the malware itself.



The shared directory might look like the following:


 Miscellaneous Mutex:
It creates the following Mutexes:
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

Description inserted by Sergiu Oprea on Monday, August 29, 2005
Description updated by Oliver Auerbach on Tuesday, April 4, 2006

Back . . . .