Virus:Worm/NetSky.X.12
Date discovered:09/01/2007
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:29.184 Bytes
MD5 checksum:47ce2ebadf10b72efe09623e05499778
VDF version:6.36.01.018
IVDF version:6.36.01.018

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Netsky@MM
   •  Kaspersky: Email-Worm.Win32.NetSky.x
   •  Grisoft: I-Worm/Netsky.EC
   •  Eset: Win32/Netsky.N
   •  Bitdefender: Win32.Netsky.W@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\DiskMonitor.exe



The following files are created:

– MIME encoded copies of itself:
   • %WINDIR%\constant
   • %WINDIR%\your_details.doc
   • %WINDIR%\666!.hel
   • %WINDIR%\document.htm
   • %WINDIR%\voltaput
   • %WINDIR%\doc.txt
   • %WINDIR%\mulala!!
   • %WINDIR%\doc.pif
   • %WINDIR%\vaca.vac
   • %WINDIR%\your_details.scr
   • %WINDIR%\puta.vac
   • %WINDIR%\document.exe
   • %WINDIR%\baseadofum
   • %WINDIR%\paula!.ama

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "AleVi"="%WINDIR%\DiskMonitor.exe"



The values of the following registry keys are removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Explorer
   • system
   • msgsvr32
   • service
   • DELETE ME
   • Sentry
   • Taskmon
   • Windows Services Host

–  [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Explorer
   • au.exe
   • d3dupdate.exe
   • OLE
   • gouday.exe
   • rate.exe
   • Taskmon
   • Windows Services Host
   • sysmon.exe
   • srate.exe
   • ssate.exe

–  [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]
   • InProcServer32

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.


Subject:
In some cases the subject might also be empty.
Furthermore the subject line could contain random letters.
The subject of the email is constructed out of the following:

    Sometimes it starts with one of the following:
   • RE:

    Sometimes continued by one of the following:
   • RE:

    Continued by one of the following:
   • Nossas contas leia!
   • Aprovado!
   • Delicia!
   • Contas!
   • Obrigado!
   • Passou!!
   • Valeu!!
   • Grana
   • Pena
   • sol
   • BRAS


Body:
– Contains HTML code.

 
The body of the email is one of the following:

   • @Lamento sabe!

   • Olha a festa!!

   • Nao sei o que eh isso me diga! Tabela de precos de Natal veja!!!!.

   • Conta regularizada veja aqui!!

   • Veja os arquivos que te mandei aqui!!!.

   • Proposta de emprego veja

   • O que isso heim

   • Conta Fechada

   • Quero sua opiniao leia tudo ta bjs!

   • Tenho pressa ve e me liga!!!

   • Olha nossas fotos (RS)

   • Leia rapido o arquivo!!!!

   • Nossas contas veja detalhe

   • Por-favor entre em contato!!!.

   • Grande Oportunidade veja os detalhes !!!.


Continued by the following:

   • --------------------------------------------
     %attachment filename%:Nao Tem Virus!
     Norton AntiVirus Procura
     Progressiva
     FiqueProtegido www.symantec.com


Attachment:
The filename of the attachment is constructed out of the following:

–  It starts with one of the following:
   • Bala
   • Cambau
   • Fotos!!
   • Me Liga ta???
   • Me liga vai
   • Mentira
   • Nossa Conta
   • Olha isso!!
   • Paes
   • Saia de Ferias
   • Sandra!!
   • Sua Conta!!!
   • Te Amo!
   • Vaga
   • Vida

Sometimes continued by one of the following:
   • _%username from receiver's email address%

    The file extension is one of the following:
   • .zip
   • .pif
   • .exe
   • .scr



Here are a few examples of how the filename of the attachment might look like:
   • Bala__%username from receiver's email address%.exe
   • Sandra!!.pif

The attachment is a copy of the malware itself.



The email may look like one of the following:



 Mailing Search addresses:
It searches the following files for email addresses:
   • .xml; .wsh; .jsp; .msg; .oft; .sht; .dbx; .tbb; .adb; .dhtm; .cgi;
      .shtm; .uin; .rtf; .vbs; .doc; .wab; .asp; .php; .txt; .eml; .html;
      .htm; .pl


Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • mail.
   • mx.
   • mx2.

 Miscellaneous Mutex:
It creates the following Mutex:
   • VxBrasil_Causando!


String:
Furthermore it contains the following string:
   • Se voce esta lendo isso veja bem quero dizer que consigo codar um Worm sozinho so que nao estou afim entao ve se para de criticar algo que alguem fez e faca algo ta bom. Eh sim eh uma versao do NetSky Disassemblada e modificada Falou. Queria fazer um protesto aqui com essa merda de WORM que ja deu o que tinha que dar. Aonde nosso BRASIL vai parar? Queria um emprego descente so que so me derao migalhas? Ate quando teremos que tolerar essas pessoas que dizem fazer pela gente e fazem o mesmo que todo mundo mentem e roubao? Queria mais que um emprego descente queria ter Orgulho de ser BRASILEIRO!!!VXBRASIL NOS NAO ESTAMOS MORTOS SE PREPAREM PARA UMA NOVA ERA DOS VIRUS DE COMPUTADOR.11/11/2006 SAMPA!

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PE Pack

Description inserted by Monica Ghitun on Tuesday, January 9, 2007
Description updated by Monica Ghitun on Tuesday, January 9, 2007

Back . . . .