Virus:Worm/Netsky.O.2
Date discovered:16/04/2004
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:24.064 Bytes
MD5 checksum:e6d771c24e8dbaf9543851e893c3e304
IVDF version:6.25.00.16 - Friday, April 16, 2004

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Netsky.w
   •  Sophos: W32/Netsky-N
   •  Panda: W32/Netsky.W.worm
   •  Eset: Win32/Netsky.N
   •  Bitdefender: Win32.NetSky.X@mm


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\VisualGuard.exe



The following files are created:

%WINDIR%\zip1.tmp
%WINDIR%\zip4.tmp
%WINDIR%\base64.tmp
%WINDIR%\zip3.tmp
%WINDIR%\zip5.tmp Further investigation pointed out that this file is malware, too. Detected as: Worm/Netsky.W.1

%WINDIR%\zipped.tmp Further investigation pointed out that this file is malware, too. Detected as: Worm/Netsky.X

%WINDIR%\zip2.tmp
%WINDIR%\zip6.tmp

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "NetDy"="%WINDIR%\VisualGuard.exe"



The values of the following registry keys are removed:

–  [HKLM\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\
   InProcServer32]
   • "@"
   • "ThreadingModel"

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "d3dupdate.exe"
   • "Explorer"
   • "Taskmon"
   • "Windows Services Host"
   • "au.exe"
   • "sysmon.exe"
   • "ssate.exe"
   • "gouday.exe"
   • "rate.exe"
   • "srate.exe"
   • "OLE"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Explorer"
   • "service"
   • "system."
   • "Taskmon"
   • "Sentry"
   • "Windows Services Host"
   • "DELETE ME"
   • "msgsvr32"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
It uses the Messaging Application Programming Interface (MAPI) in order to send emails. The characteristics are further described:


From:
The sender address is spoofed.
The sender address is the user's Outlook account.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
The subject of the email is constructed out of the following:

    It starts with one of the following:
   • Re:

    Sometimes continued by one of the following:
   • Re:

    Continued by one of the following:
   • read it immediately
   • important
   • improved
   • patched
   • corrected
   • approved
   • thanks!
   • hello
   • hi
   • here
   • document_all
   • text
   • message
   • data
   • excel document
   • word document
   • bill
   • screensaver
   • application
   • website
   • product
   • letter
   • information
   • details
   • file
   • document
   • important
   • approved
   • my
   • your


Body:
– Contains HTML code.
The body of the email is one of the following:

   • Your details.
     Your document.
     I have received your document. The corrected document is attached.
     I have attached your document.
     Your document is attached to this mail.
     Authentication required.
     Requested file.
     See the file.
     Please read the important document.
     Please confirm the document.
     Your file is attached.
     Please read the document.
     Your document is attached.
     Please read the attached file.
     Please see the attached file for details.


Continued by the following:

   • %attachment filename%: No virus found
     Powered by the new Norton OnlineScan
     Get protected: www.symantec.com


Attachment:
The filenames of the attachments is constructed out of the following:

–  It starts with one of the following:
   • important
   • improved
   • patched
   • corrected
   • approved
   • thanks!
   • hello
   • hi
   • here
   • document_all
   • text
   • message
   • data
   • excel document
   • word document
   • bill
   • screensaver
   • application
   • website
   • product
   • letter
   • information
   • details
   • file
   • document
   • important
   • approved
   • my
   • your

    Continued by one of the following fake extensions:
   • .zip
   • .pif
   • .exe
   • .scr



Here are a few examples of how the filename of the attachment might look like:
   • application.pif
   • application.scr
   • data.exe
   • details.zip
   • document.exe
   • document_all.scr
   • document_all_infoservice.pif
   • excel document.zip
   • file.pif
   • information_hot-line.zip
   • message.zip
   • product.pif
   • screensaver.scr
   • website_mts.zip

The attachment is a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • .xml; .wsh; .jsp; .msg; .oft; .sht; .dbx; .tbb; .adb; .dhtm; .cgi;
      .shtm; .uin; .rtf; .vbs; .doc; .wab; .asp; .php; .txt; .eml; .html;
      .htm; .pl

 Miscellaneous String:
Furthermore it contains the following strings:
   • <*>NetDy: Thanks to the SkyNet alias NetSky crew for the sourcecode.
   • <*>NetDy: We have rewritten NetSky.
   • <*>NetDy: Thats a good tactic to detroy the bagle and mydoom worms.
   • <*>NetDy: Our group will continue the war.
   • <*>NetDy: Malware writers 'End' comes true.
   • <*>NetDy: Our Social Engineering is the best *lol* (You have no virus symantec says!).
   • <*>NetDy: ----------------------------------------------------------------------------
   • <*>NetDy: We are greeting all russia people!

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, March 5, 2010
Description updated by Petre Galan on Monday, March 8, 2010

Back . . . .