Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/Netsky.E@MM, i-Worm.Moodown.e
Type:Worm 
Size:24,840 bytes 
Origin:unknown 
Date:03-01-2004 
Damage:Sends itself by email 
VDF Version:6.24.00.31 
Danger:Low 
Distribution:High 

General DescriptionWorm/NetSky.E is a mass-mailer, with a size of 24.840 bytes. It uses its own smtp engine to send the emails. Thus the worm is not dependent on the email client. It scans files on all local drives for email addresses, to which it will send itself after that.

The emails generated by Worm/NetSky.E can have different looks, because it's using a predefined list with words and sentences.

The worm copies itself into the Windows installation folder as WINLOGON.EXE and modifies Windows Registry accordingly.

Symptoms* Increased email traffic

Distribution* Sends itself via email using its own smtp engine

Technical DetailsWorm/NetSky.E is a mass-mailer, with a size of 24.840 bytes. It uses its own smtp engine to send the emails. Thus the worm is not dependent on the email client. It scans files with the following file extensions on all local drives for email addresses, to which it will send itself after that:

adb, asp, cgi, dbx, dhtm, doc, eml, htm, html, msg, oft, php, pl, rtf, sht, shtm, tbb, txt, uin, vbs, and wab

The worm uses the local DNS server, if available, to perform an MX lookup for the recipient address. If the local DNS fails, it will perform the lookup from the following list of hard-coded servers:

* 212.44.160.8
* 195.185.185.195
* 151.189.13.35
* 213.191.74.19
* 193.189.244.205
* 145.253.2.171
* 193.141.40.42
* 194.25.2.134
* 194.25.2.133
* 194.25.2.132
* 194.25.2.131
* 193.193.158.10
* 212.7.128.165
* 212.7.128.162
* 193.193.144.12
* 217.5.97.137
* 195.20.224.234
* 194.25.2.130
* 194.25.2.129
* 212.185.252.136
* 212.185.253.70
* 212.185.252.73
* 62.155.255.16

It copies itself into the Windows instalation folder as WINLOGON.EXE and adds the following entry in the Windows Registry:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \
CurrentVersion\Run]
"ICQ Net" = "%Windir%\winlogon.exe stealth"

Note: The file WINLOGON.EXE is different from the original file in the SYSTEM32 folder of Windows.

The emails generated by Worm/NetSky.E can have different looks, because it's using a predefined list with words and sentences. Thus the subject, the email body and the name of the attachment are different for each email sent.

The subject is selected from the following list:

* ;-)
* <...>
* <<<Failure>>>
* <Antispam complete>
* <Attached Msg>
* <Attachment Signature 34933920>
* <Automailer>
* <bad gateway>
* <Failed message available>
* <Mail failed>
* <Message Error>
* <null>
* <Server Error>
* <Transfer complete>
* <Warning from the Government>
* a crazy doc about you
* abuse?
* account?
* already?
* Announcement
* another pic, have fun! ... :->
* Antispam is turned off. See file!
* Approved
* are you a photographer?
* are you cranky?
* are you the one?
* attachi#
* Attention
* automatic notification
* automatic responder
* be mad?
* believe me
* best?
* child porn?
* classroom test of you?
* Confirmation
* Confirmation Required
* Delivery Failed
* denied!
* Details
* did you ask me for that?
* did you know from this document?
* did you sent it to me?
* do not show this anyone!
* do not use my document!
* do not visit the pages on the list I sent!
* do you have an orgasm in the picture?
* do you have sex in the picture?
* do you have the bug also?
* do you have?
* do you know the thief?
* doc about me?
* does it belong to you?
* does it matter?
* drugs? ...
* error
* excellent!
* exception
* excuse me
* Expired account
* explain!
* fake?
* fast food...
* File is bad.
* File is damaged.
* File is self-decryting.
* forgotten?
* from your lover ;-)
* gonna?
* good morning
* greetings
* hello
* help attached
* here is it.
* here is my photo!
* here is the next one!
* here is yours!
* here, the cheats
* here, the introduction
* hey
* hi
* hi, it's me
* how?
* i am speachless about your document!
* i don't think so.
* i don't want your xxx pics!
* i found that about you!
* i have received this.
* i hope thats not true!
* i know your document!
* i lost that
* i need you!
* I 've found your bill!
* I wait for an answer!
* i wait for your comment about it.
* i want more...
* illegal...
* I'm back!
* important
* in your mind?
* incest?
* info
* information about you?
* Instant patches.
* instruct me about this!
* is that possible?
* is that the reality?
* is that your attachment?
* is that your beast?
* is that your car?
* is that your cd?
* is that your creditcard?
* is that your domain?
* is that your message?
* is that your photo?
* is that your porn pic?
* is that your privacy?
* is that your TAN?
* is that your wife?
* is that your work?
* is that yours?
* is the pic a fake?
* its me
* its private from me
* kill the writer of this document!
* last chance!
* let it!
* lets talk about it!
* Login required! Read the attachment!
* lol
* Love is
* love letter?
* man or women?
* meaning of that?
* message?
* misc. and so on. see you!
* moin
* money?
* msg
* my advice....
* never!
* new patch is available!
* notice!
* notification
* oh
* old photos about you?
* only encrypted!
* pages?
* personal message!
* picture?
* please read
* please reply
* pretty pic about you?
* private?
* pwd?
* question
* Question
* re:
* Re: <5664ddff?$??§2>
* Re: <censored>
* Re: Approved
* Re: Details
* Re: does it?
* Re: excuse me
* Re: hello
* Re: hey
* Re: hi
* Re: important
* Re: information
* Re: Re: Re: Re:
* Re: Thank you
* Re: unknown
* read it immediatelly
* read now!
* read the details.
* Read this message
* registered?
* Registration confirm
* reply
* report
* Returned Mail
* Schedule
* see your name!
* solve the problem!
* something for you
* something is going ...
* something is not ok
* Status
* stolen
* such as yours?
* take it
* take it easy!
* tell me more about your document!
* test it
* Thank you
* Thank You very very much
* that's a funny text.
* that's not the truth?
* the information is wrong!
* this is an attachment message!
* Transaction failed. Show the doc!
* trial?
* trust me
* warning
* what do you think about it?
* what still?
* what?
* what's up?
* why should I?
* why?
* wrong calculation! (see the attachment!)
* xxx ?
* xxx about you?
* xxx service
* Yep
* yes.
* you are bad
* You are infected. Read the details!
* You have 1 day left
* you have done a mistake in the document!
* you look like an ape!
* you look like an rat?
* You use illegal...
* you won the rk!
* you?
* your account is expired!
* your are naked?
* your attachment? verify it.
* your document is not good
* your eyes?
* your face?
* Your IP was logged
* your job? (I found that!)
* your lie is going around the world!
* your name is wrong!
* your photo is poor
* Your provider will be disabled!
* Your request was registered
* your TAN number?

The body of the Worm/NetSky.E generated email is selected from the following list:

* *lol*
* ;-)
* <...>
* <?}
* <<<Failure>>>
* <09580985869gj>
* <Antispam complete>
* <Attached Msg>
* <Attachment from Poland>
* <Attachment Signature 34933920>
* <Automailer>
* <bad gateway>
* <Click the attachment to decrypt>
* <Deliver Error>
* <Failed message available>
* <Mail failed>
* <Message Error>
* <null>
* <scanned by norton antivirus>
* <Server Error>
* <Transfer complete>
* <Warning from the Government>
* a crazy doc about you
* abuse?
* account?
* already?
* another pic, have fun! ... :->
* Antispam is turned off. See file!
* are you a photographer?
* are you a teacherin the picture?
* are you cranky?
* are you the naked one?
* are you the naked person!
* are you the one?
* attachi#
* Authentification required. Read the attachment!
* be mad?
* best?
* bob the builder
* child or adult?
* child porn?
* classroom test of you?
* copyright?
* correct it!
* did you ask me for that?
* did you know from this document?
* did you know that?
* did you see her already?
* did you sent it to me?
* do not give up!
* do not open the attachment!
* do not show this anyone!
* do not use my document!
* do not visit the pages on the list I sent!
* do you have an orgasm in the picture?
* do you have sex in the picture?
* do you have the bug also?
* do you have?
* do you know the thief?
* do you know this????
* do you think so?
* doc about me?
* doc?
* docs?
* does it belong to you?
* does it matter?
* drugs? ...
* excellent!
* explain!
* fast food...
* feel free to use it.
* File is bad.
* File is damaged.
* File is self-decryting.
* forgotten?
* from the chatter (my photo!)
* from your lover ;-)
* gonna?
* good work!
* great job!
* great xxx!
* great!
* greetings
* help attached
* her.
* here is it.
* here is my advice.
* here is my photo!
* here is the $%%454$
* here is the <censored>
* here is the document.
* here is the next one!
* here is yours!
* here, the cheats
* here, the introduction
* here, the serials
* how?
* i am desperate
* i am speachless about your document!
* I don't know your document!
* i don't think so.
* i don't want your xxx pics!
* i found that about you!
* i found this document about you.
* i have received this.
* I have your password!
* i hope thats not true!
* i know your document!
* i like your doc!
* i lost that
* i need you!
* i saw you last week!
* I 've found your bill!
* I wait for an answer!
* i wait for your comment about it.
* i want more...
* illegal st. of you?
* important?
* important?
* in your mind?
* incest?
* information about you?
* Instant patches.
* instruct me about this!
* is that criminal?
* is that possible?
* is that the reality?
* is that true?
* is that your account?
* is that your attachment?
* is that your beast?
* is that your car?
* is that your cd?
* is that your creditcard?
* is that your domain?
* is that your family?
* is that your finger?
* is that your message?
* is that your name?
* is that your photo?
* is that your porn pic?
* is that your privacy?
* is that your slip?
* is that your TAN?
* is that your website?
* is that your wife?
* is that your work?
* is that yours?
* is the pic a fake?
* is this information about you?
* it's a secret!
* its private from me
* it's so similar as yours!
* i've found it about you
* kill him on the picture!
* kill the writer of this document!
* let it!
* lets talk about it!
* Login required! Read the attachment!
* love letter?
* man or women?
* meaning of that?
* message?
* Microsoft
* misc. and so on. see you!
* modifications?
* money?
* msg
* my advice....
* never!
* new patch is available!
* ok...
* old photos about you?
* only encrypted!
* pages?
* personal message!
* picture?
* poor quality!
* possible?
* pretty pic about you?
* pwd?
* read it immediately!
* read the details.
* really?
* reply
* schoolfriend?
* see this!
* see your name!
* solve the problem!
* something about you!
* something is going ...
* something is going wrong!
* something is not ok
* stuff about you?
* such as yours?
* take it easy!
* tell me more about your document!
* test it
* that is interesting...
* that's a funny text.
* that's not the truth?
* thats wrong!
* the information is wrong!
* the truth?
* this file is bad!
* this is an attachment message!
* this is nothing for kids!
* time to fear?
* Transaction failed. Show the doc!
* trial?
* try this patch!
* what do you think about it?
* what means that?
* what still?
* what?
* who?
* why should I?
* why?
* wrong calculation! (see the attachment!)
* xxx ?
* xxx about you?
* xxx service
* yes.
* you are a bad writer
* you are bad
* You are infected. Read the details!
* you are naked in this document!
* you are sexy in this doc!
* you cannot hide yourself! (see photo)
* you earn money, see the attachment!
* you feel the same.
* you have a sexy body in the pic!
* you have done a mistake in the document!
* you have tried to steal!
* you look like an ape!
* you look like an rat?
* you won the rk!
* your account is expired!
* your are naked?
* your attachment? verify it.
* Your bill.
* your body?
* your design is not good!
* your document is not good
* your document is silly!
* your eyes?
* your face?
* your hero in the picture?
* your icq number?
* your job? (I found that!)
* your lie is going around the world!
* your name is wrong!
* your personal record?
* your photo is poor
* Your provider will be disabled!
* your TAN number?

The name of the attachment consists of two and/or three words:
"file name" + "file extension1" + "file extension2"

The file name is selected from the following list:

* 454543403
* aboutyou
* associal
* attach2
* attachment
* auction
* bill
* birth
* birth
* card
* class
* concert
* concert
* creditcard
* death
* description
* details
* dinner
* disco
* doc
* document
* final
* found
* freaky
* friend
* id
* image
* important
* incest
* information
* injection
* intimate stuff
* jokes
* letter
* location
* mail2
* mails
* masturbation
* material
* me
* message
* misc
* moonlight
* more
* msg
* msg2
* music
* myaunt
* mydate
* naked1
* naked2
* news
* nomoney
* note
* nothing
* object
* part2
* party
* paypal
* pic
* portmoney
* poster
* posting
* product
* ps
* ranking
* regards
* regid
* release
* response
* schock
* secrets
* sexual
* sexy
* shower
* story
* stuff
* swimmingpool
* talk
* tear
* textfile
* topseller
* transfer
* trash
* undefinied
* unfolds
* update
* violence
* visa
* warez
* webcam
* website
* wife
* word
* worker
* your
* yours

The file name is sometimes built up by the worm out or two or three words, which are separate with "_", for example:

yours_wife_visa.txt.pif

The file extension of the attachment can be one of the following:

* .txt
* .rtf
* .doc
* .htm

The second file extension can be:

* .exe
* .scr
* .com
* .pif

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* \%WinDIR%\Winlogon.exe

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"ICQ Net" = "%Windir%\winlogon.exe -stealth"

Restart your computer.

- for Windows 9x/Me:

In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* \%WinDIR%\Winlogon.exe

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"ICQ Net" = "%Windir%\winlogon.exe -stealth"

Restart your computer.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .