Virus:Worm/NetSky.#1
Date discovered:05/04/2004
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low
Static file:Yes
File size:18.432 Bytes
MD5 checksum:ff05ddc00C74ef41157a2552af455e59
VDF version:6.24.00.87

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Netsky.T@mm
   •  Mcafee: W32/Netsky.t@MM
   •  Kaspersky: Email-Worm.Win32.NetSky.t
   •  TrendMicro: WORM_NETSKY.T
   •  F-Secure: W32/Netsky.T@mm
   •  Sophos: W32/Netsky-T
   •  Grisoft: I-Worm/Netsky.T
   •  VirusBuster: iworm I-Worm.Netsky.U
   •  Bitdefender: Win32.NetSky.T@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\EasyAV.exe



The following file is created:

– MIME encoded copy of itself:
   • %WINDIR%\uinmzertinmds.opm

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "EasyAV"="%WINDIR%\EasyAV.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.


Subject:
The subject of the email is constructed out of the following:

    Sometimes it starts with one of the following:
   • Re:

    Continued by one of the following:
   • Important
   • My details
   • Your information
   • Your details
   • Your document
   • Request
   • Thank you!
   • Approved
   • Hello
   • account
   • postcard
   • sample
   • developement
   • concept
   • story
   • report
   • icq number
   • e-mail
   • phone number
   • personal message
   • photo document
   • order
   • important document
   • diggest
   • final version
   • release
   • answer
   • bill
   • notice
   • requested document
   • description
   • summary
   • picture document
   • movie document
   • approved document
   • old document
   • document
   • mail
   • letter
   • homepage
   • detailed document
   • powerpoint document
   • excel document
   • word document
   • info
   • information
   • text
   • new document
   • textfile
   • user list
   • improved file
   • secound document
   • file
   • number list
   • contact list
   • message
   • note
   • improved document
   • details
   • instructions
   • presentation document
   • abuse list
   • archive
   • corrected document
   • list
   • approved file


Body:
The body of the email is one of the following:

   • Hello!

   • Hi!


Sometimes continued by one of the following:

   • Your file is attached to this mail.

   • Please read the attached document.

   • Please have a look at the attached document.

   • See the document for details.

   • Here is the document.

   • Note that I have attached your document.

   • I have spent much time for your document.

   • Please notice the attached document.

   • My %replacement 1% is attached.

   • Your %replacement 1% is attached

   • I have found the %replacement 1%

   • Please notice the attached %replacement 1%

   • I have spent much time for the %replacement 1%

   • Please read quickly.

   • For more details see the attached document.

   • For more information see the attached document.

   • Approved, here is the document.

   • The requested %replacement 1% is attached!

   • I have sent the %replacement 1%.

   • Please see the %replacement 1%.

   • The %replacement 1% is attached.

   • Here is the %replacement 1%.

   • Please have a look at the %replacement 1%.

   • Please read the %replacement 1%.

   • Please, %replacement 1%.

   • My %replacement 1%.

   • The %replacement 1%.

   • Your %replacement 1%.


Sometimes continued by one of the following:

   • Yours sincerely
     

   • Thank you
     

   • Thanks


%replacement 1% is expanded to one of the following:
   • account; postcard; sample; developement; concept; story; report; icq
      number; e-mail; phone number; personal message; photo document; order;
      important document; diggest; final version; release; answer; bill;
      notice; requested document; description; summary; picture document;
      movie document; approved document; old document; document; mail;
      letter; homepage; detailed document; powerpoint document; excel
      document; word document; info; information; text; new document;
      textfile; user list; improved file; secound document; file; number
      list; contact list; message; note; improved document; details;
      instructions; presentation document; abuse list; archive; corrected
      document; list; approved file; report


Attachment:
The filename of the attachment is one of the following:
   • account%number%.pif; postcard%number%.pif;
      sample%number%.pif; developement%number%.pif;
      concept%number%.pif; story%number%.pif;
      report%number%.pif; icq_number%number%.pif;
      e-mail%number%.pif; phone number%number%.pif;
      personal_message%number%.pif;
      photo_document%number%.pif; order%number%.pif;
      important_document%number%.pif; diggest%number%.pif;
      final_version%number%.pif; release%number%.pif;
      answer%number%.pif; bill%number%.pif;
      notice%number%.pif; requested_document%number%.pif;
      description%number%.pif; summary%number%.pif;
      picture_document%number%.pif;
      movie_document%number%.pif;
      approved_document%number%.pif; old_document%number%.pif;
      document%number%.pif; mail%number%.pif;
      letter%number%.pif; homepage%number%.pif;
      detailed_document%number%.pif;
      powerpoint_document%number%.pif;
      excel_document%number%.pif; word_document%number%.pif;
      info%number%.pif; information%number%.pif;
      text%number%.pif; new_document%number%.pif;
      textfile%number%.pif; user_list%number%.pif;
      improved_file%number%.pif; secound_document%number%.pif;
      file%number%.pif; number_list%number%.pif;
      contact_list%number%.pif; message%number%.pif;
      note%number%.pif; improved_document%number%.pif;
      details%number%.pif; instructions%number%.pif;
      presentation_document%number%.pif;
      abuse_list.%number%.pif; archive%number%.pif;
      corrected_document%number%.pif; list%number%.pif;
      approved_file%number%.pif

The attachment is a copy of the malware itself.


 Mailing Search addresses:
It searches the following files for email addresses:
   • ppt; nch; mmf; mht; xml; wsh; jsp; xls; stm; ods; msg; oft; sht; html;
      htm; pl; dbx; tbb; adb; dhtm; cgi; shtm; uin; rtf; vbs; doc; wab; asp;
      mdx; mbx; cfg; php; txt; eml

 Backdoor The following port is opened:

%executed file% on TCP port 6789

 DoS  On 14/04/2004 until 17/04/2004 it performs DoS attacks against the following destinations:
   • www.keygen.us
   • www.freemule.net
   • www.kazaa.com
   • www.emule.de
   • www.cracks.am

 Miscellaneous Mutex:
It creates the following Mutexes:
   • SyncMutex_USUkUyUnUeUtU
   • Protect_USUkUyUnUeUtU_Mutex


String:
Furthermore it contains the following string:
   • Now we have programmed our backdoor, it cannot be used for spam relaying, only for Skynet distribution, our advice: educate the users or update the smtp protocol, and heuristics cannot detect Skynet, becauses numerous scambler, compressors, and protectors exists including programming new features. Thanks to russia, and thanks to CCC for support. 09:34 A.M, Russia

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Ionut Slaveanu on Thursday, May 4, 2006
Description updated by Cosmin Ancuta on Friday, May 5, 2006

Back . . . .