Virus:Worm/Netsky.T
Date discovered:05/04/2004
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:18.432 Bytes
MD5 checksum:5e12dace2155beca61c050ad2deb519a
IVDF version:6.24.00.86 - Monday, April 5, 2004

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Netsky.s
   •  Sophos: W32/Netsky-S
   •  Panda: W32/Netsky.S.worm
   •  Eset: Win32/Netsky.S
   •  Bitdefender: Win32.Netsky.S@mm


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\EasyAV.exe



The following file is created:

%WINDIR%\uinmzertinmds.opm Further investigation pointed out that this file is malware, too. Detected as: Worm/Netsky.T

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "EasyAV"="%WINDIR%\EasyAV.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
It uses the Messaging Application Programming Interface (MAPI) in order to send emails. The characteristics are further described:


From:
The sender address is spoofed.
The sender address is the user's Outlook account.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Subject:
One of the following:
   • Hello!; Hi!; Re: Important; Important; Re: My details; My details; Re:
      Your information; Your information; Re: Your details; Your details;
      Re: Your document; Your document; Re: Request; Request; Re: Thanks
      you!; Thank you!; Re: Approved; Approved; Re: Hello; Re: Hi; Hello; Hi


    Sometimes it starts with one of the following:

Body:
– Contains HTML code.
The body of the email is one of the following:

   • Hello!
     Hi!

   • Note that I have attached your document.
     My %attachment filename%.
     The %attachment filename%.
     I have spent much time for the %attachment filename%.
     I have spent much time for your document.
     Your %attachment filename%.
     Please notice the attached %attachment filename%.
     Please notice the attached document.
     Please read quickly.
     For more details see the attached document.
     For more information see the attached document.
     Approved, here is the document.
     I have found the %attachment filename%.
     My %attachment filename% is attached.
     Your %attachment filename% is attached.
     Please, %attachment filename%.
     Your file is attached to this mail.
     Please read the attached document.
     Please have a look at the attached document.
     See the document for details.
     Here is the document.
     The requested %attachment filename% is attached!
     I have sent the %attachment filename%.
     Please see the %attachment filename%.
     The %attachment filename% is attached.
     Here is the %attachment filename%.
     Please have a look at the %attachment filename%.
     Please read the %attachment filename%.


Sometimes continued by the following:

   • Yours sincerely
     Thank you
     Thanks


Continued by one of the following:

   • +++ X-Attachment-Type: document
     +++ X-Attachment-Status: no virus found
     +++ Powered by the new Panda OnlineAntiVirus
     +++ Website: www.pandasoftware.com
     +++ X-Attachment-Type: document
     +++ X-Attachment-Status: no virus found
     +++ Powered by the new MCAfee OnlineAntiVirus
     +++ Homepage: www.mcafee.com
     +++ X-Attachment-Type: document
     +++ X-Attachment-Status: no virus found
     +++ Powered by the new F-Secure OnlineAntiVirus
     +++ Visit us: www.f-secure.com
     +++ X-Attachment-Type: document
     +++ X-Attachment-Status: no virus found
     +++ Powered by the new Norton OnlineAntiVirus
     +++ Free trial: www.norton.com


Attachment:
The filenames of the attachments is constructed out of the following:

–  It starts with one of the following:
   • abuse_list
   • approved_document
   • archive
   • bill
   • developement
   • diggest
   • excel_document
   • file
   • homepage
   • icq_number
   • information
   • message
   • movie_document
   • notice
   • number_list
   • postcard
   • report
   • story
   • summary
   • word_document

Continued by one of the following:
   • %number%

    Continued by one of the following fake extensions:
   • .pif



Here are a few examples of how the filename of the attachment might look like:
   • abuse_list4.pif
   • approved_document7.pif
   • bill1.pif
   • developement7.pif
   • file6.pif

The attachment is a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • .xml; .wsh; .jsp; .msg; .oft; .sht; .dbx; .tbb; .adb; .dhtm; .cgi;
      .shtm; .uin; .rtf; .vbs; .doc; .wab; .asp; .php; .txt; .eml; .html;
      .htm; .pl

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, March 5, 2010
Description updated by Petre Galan on Monday, March 8, 2010

Back . . . .