|
Netsky Worms
The Netsky.B Worm
The Netsky.B (W32.Netsky.B or Moodown I-Worm.Moodown.b) worm
infects the major Windows systems (Windows 9X, Me, NT, 2000,
XP and WS2003) in use today. This worm embeds itself in messages
containing attachments with a variety of names. Different subject
lines appear; examples include “fake,” “stolen,”
“hi,” “hello,” “something for
you,” “information,” and “read it immediately.”
The message content can be “greetings,” “reply,”
“do you?,” “is it true?,” “you
try to steal,” “I’m waiting,” “you
earn money,” and many other short phrases and words. Attachment
names also vary widely (e.g., “found,” “doc,”
nomoney,” “jokes,” “ranking,”
and “msg,” to name a few). If the attachments that
Netsky.B sends are executable files, the attachment will have
a double extension such as “.txt.pif” and “.doc.exe.
Attachments are zipped. This worm infects any Windows system
in which a user who gets an infected message opens the attachment
and the system’s antivirus software is not up to date.
As soon as Netsky.B infects a system, it creates
a mutex [1], “AdmSkynetJKIS003,”
and then copies itself into %systemroot%\services.exe.
A dialog box that displays the message,“The file could
not be opened!”, appears afterwards, and then Netsky.B
adds a value, “service” = “%systemroot%\services.exe
–serv” to the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
key in the victim system’s Registry, causing
the worm code to start whenever the victim system boots. It
then erases two values, “Taskmon” and “Explorer,”
from
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Next, it deletes “KasperskyAV” and
“System” from
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and then deletes the
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\
InProcServer32
Registry key. This worm looks for files with
extensions normally assigned to files that contain email addresses,
copying addresses that it finds. Netsky.B then searches for
folders with names containing "Shar" and (if the
drive is not a CD-ROM) copies itself to those folders with
a name such as “doom2.doc.pif,” “porno.scr,”
“win longhorn.doc.exe,” “sex sex sex sex.doc.exe,”
and “virii.scr.” Next, Netsky.B sets up a mail
engine and spews massive numbers of infected messages to email
addresses it has found in the infected system.
What to Do if Your System Is Infected
Because of all the changes Netsky.B makes to
systems it infects, manually cleaning up infected systems
is usually not feasible. A better recovery solution is to
download and run the Netsky.B
removal tool, using the procedures described in this page—i.e.,
performing a Live Update of your antivirus software, rebooting
your computer in Safe mode or VGA mode (if applicable to your
system), performing an antivirus scan in which any viruses
detected are eradicated, and ensuring that your system’s
Registry does not contain values inserted by this worm.
Preventing Netsky.B Infections
Go here
to update your system's antivirus software daily. Don’t
open or forward any attachment that you are not expecting.
Note that this may require you to contact the person whose
address has been used in a message you have received to determine
whether or not that person actually mailed an attachment to
you.
____________
Note
1. A mutex is a regulating
mechanism that allows only a single copy of a worm or virus
to run on a system at any time.
<<Back
to Virus Archive home
The
Netsky.C Worm
The Netsky.C (W32.Netsky.C) worm targets Windows systems,
specifically Windows 9X, Me, NT, 2000, XP and WS2003 systems.
This worm arrives in messages containing attachments with
a variety of names. Extensions include .com, .exe., .pif or
.scr, or in some cases (one-third of the time) double extensions
such as .txt.exe or .doc.com. The majority of the attachments
are zipped. The indicated subject varies; examples include
“Delivery failed,” “what’s up?,”
“hello,” “trust me,” “excuse
me,” and “Question.” The message content
also varies; examples include “Deliver Error,”
“Message Error,” “ok...,” “i
wait for your comment about it,” “such as yours?,”
“read the details,” and “love letter.”
Systems become infected if users who receive a message with
an infected attachment open the attachment and the system’s
anti-virus software is not updated.
When Netsky.C infects a system it quickly creates a mutex,
“[SkyNet.cz]SystemsMutex,” and then copies itself
into %systemroot%\winlogon.exe. Next it modifies the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
key in the infected system’s Registry by adding the
value “ICQ Net” = “%systemroot%\winlogon.exe
–stealth,” enabling the worm to start whenever
the infected system boots. It also deletes important values
such as “au.exe,” “d3dupdate.exe,”
and “OLE” from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and “System” from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices.
Next it searches for files with extensions normally assigned
to files that contain email addresses and copies any addresses
that it finds. Netsky.C then searches through drives C through
Z for any folder names containing "Shar" and (if
the drive is not a CD-ROM) copies itself to those folders,
assigning a file name such as “Adobe Premiere 9.exe,”
“Porno Screensave.scr,” “Dark Angels.pif,”
“Virii Sourcecode.scr,” “Norton Antivirus
2004.exe,” or “Visual Studio Net Crack.exe.”
Netsky.C then creates a mail engine, sending infected messages
to email addresses it has located in the infected system.
Finally, this worm causes the infected system to continuously
beer if the system time is between 6:00 - 8:00 AM on February
26, 2004.
What to Do if Your System Is Infected
Because of all the changes Netsky.C makes to systems it infects,
manually cleaning up infected systems is not advisable. Instead,
go here
to download and run the Netsky.C removal tool, and then follow
the instructions on this page—i.e., do a Live Update
of your antivirus software, restart your computer in Safe
mode or VGA mode (if applicable to your system), run an antivirus
scan in which any viruses found are deleted, and ensure that
your Registry does not contain any values added by this worm.
Preventing Netsky.C Infections
Be sure to immediately update your system's antivirus software
if you haven't already done so. Go here
for procedures for updating antivirus software. Refrain from
opening or forwarding any attachment that you are not expecting.
<<Back
to Virus Archive home
The Netsky.D Worm
The Netsky.D (W32.Netsky.D) worm, like all members of the
Netsky family, targets Windows systems (Windows 9X, Me, NT,
2000, XP, and WS2003). This worm arrives as an attachment
in email messages that have a variety of subjects, such as
Re: Hello, Re: Hi, Re: Thanks, Re: Your website, Re: Your
Word file and a message body such as "Here is your file,"
"Your document is attached, "Please have a look
at the attached file," and "Your file is attached."
Although attachments invariably have a .pif extension, the
actual name of each attachment varies. Examples include your_details.pif,
your_picture.pif, your_archive.pif, and mp3music.pif. The
address of the sender is spoofed, based on entries Netsky.D
finds in infected systems' address books. Systems become infected
if users who receive a message with an infected attachment
open the attachment and the system’s anti-virus software
is not updated.
When Netsky.D infects a machine it first creates a mutex,
"[SkyNet.cz]SystemsMutex" and then it writes itself
into %systemroot%\winlogon.exe (where %systemroot% is the
default system folder). Next it inserts a new value, "ICQ
Net" = "%Windir%\winlogon.exe –stealth,"
to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
key in the Registry, enabling it to start whenever the infected
system is booted. Netsky.D also deletes certain values, DELETE
ME, msgsvr32, Service, System and Sentry, from the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
key and deletes au.exe, d3dupdate.exe and OLE from the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
key. It deletes another value, System, from the KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices key and deletes the several other Registry keys,
including:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF,
and
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch
Netsky.D searches every hard drive and CD-ROM drive for files
(such as files with .rtf, .wab, .oft, and .msg extensions)
that may contain email addresses, gleaning every address it
finds. Next it creates a Simple Mail Transfer Protocol (SMTP)
engine, from which it sends a large volume of messages containing
infected attachments to addresses it has found. Interestingly,
however, it does not send messages to any addresses that have
certain strings such as abuse, asperksy, ymantec, antivi,
icrosoft, and skynet in them.
What to Do If Your System Is Infected
If your system is infected you should download and run the
Netsky
removal tool. Then follow the instructions on this page,
which show you how to perform a Live Update of your system’s
anti-virus software, restart your computer in Safe mode or
VGA mode (if applicable to your system), run an anti-virus
scan in which any viruses that are identified are eradicated,
and ensure that your Registry does not contain any values
added by this worm.
Preventing Netsky.D Infections
Be sure to immediately update your system's anti-virus software
if you haven't already done so. Go here
for procedures for updating anti-virus software. Also, don’t
open or forward any attachment that you are not expecting.
____________
The Netsky.N Worm
The Netsky.N worm (also known as W32/Netsky.aa@MM or Worm.Netsky.N)
is yet another mass-mailing worm that targets Windows systems
and spoofs sender addresses to fool recipients of messages
it sends. It arrives as what appears to be a mail delivery
failure notice, and can have a variety of subject lines, messages,
and attachment names. Subject lines include: "Can you
confirm it?," "Re: Free Porn," "Re: Test,"
"Re: Error," "Is that your password?,"
"Message is attached," and many others. The message
body content is random, and consists of at least one of the
following: "Here it is," "Here is my icq list,
"?" Or, it can use a precomposed message such as:
From:noreply@paypal.com
Subject:
Congratulations!
Thank you!
Body:
You were registered to the pay system.
For more details see the attachment.
Your bill is attached to this mail.
The attachment is:
www.<random domain name>.<random username>.session-<random
number>.com.
The worm may also append the following to the message body:
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
How Netsky.N Infects Your System
This worm copies itself into the system folder of each system
it infects as FirewallSvr.exe and then adds a value, "FirewallSvr"="%Windir%\FirewallSvr.exe,"
to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This allows the worm to start every time the infected system
is booted. It creates a special routine (a "mutex")
that allows only one copy of the worm to infect a system.
It adds a MIME-encoded copy of itself to the system directory
and activates TCP port 82 to allow attackers to send and then
remotely run an executable. Next, Netsky.N obtains email addresses
from files in the infected system, creates an SMTP engine,
and mails copies of itself to the addresses it has found,
as well as to hukanmikloiuo@yahoo.com. The worm also tries
to use the infected system's default DNS server to get the
IP address of the infected machine's email server; if unsuccessful
in finding the DNS server, it tries to use other predesignated
DNS servers.
How to Recover if Your System Becomes Infected
To recover, Symantec recommends that you:
- Disable System Restore in Windows Me and XP
- Update your computer’s anti-virus software
- Restart your computer in Safe or VGA mode.
- Perform a system scan on all hard drives and delete any
copies of this worm
- Correct any Registry changes that Netsky.N has made
A recovery tool for Netsky infections is available here.
Running this tool, however, will not completely reverse all
of the many changes that Netsky.N makes in systems that it
infects.
Preventing Netsky.N Infections
Update your system's anti-virus software daily. Go here
for procedures on updating anti-virus software. Refrain from
opening or forwarding any attachment that you are not expecting.
<<Back
to Virus Archive home
____________
The Netsky.P Worm
The Netsky.P (W32.Netsky.P) infects Windows systems such
as Windows 9X, Me, NT, 2000, XP and WS2003 systems. Messages
that Netsky.P sends have spoofed addresses from infected systems'
address books as well as others such as support@symantec.com.
The subject of such messages varies widely; examples include
Re: Error, Re: Notify, Re: Secure delivery, and Re: Test.
Examples of the message content include “Do you?,”
“Do not visit this illegal websites!,” "You
cannot do that," "I hope you accept the result,"
"Please confirm!," "Your details," "Thanks,"
and "New message is available." To further deceive
users, Netsky.P may also append an additional message, such
as:
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com,
+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com, OR
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
Systems become infected if users who receive a message with
an infected attachment open the attachment and the system’s
anti-virus software is not updated. When Netsky.P infects
a system it creates a mutex,
"_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_"
and then copies itself into the %systemroot% (installation)
folder as FVProtect.exe. It also installs a copy of userconfig9x.dll
in the same folder and then starts this executable. It then
inserts a value, "Norton Antivirus AV"="%Windir%\FVProtect.exe,"
to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
key in the infected system’s Registry, enabling Netsky.P
to start whenever the infected system boots. It deletes other
values, jijbl, service, Explorer, system, msgsvr32, winupd.exe,
direct.exe, and Sentry,
from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
This worm also deletes certain values, Video and system, from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and deletes numerous other values (Taskmon, srate.exe, ssate.exe,
au.exe, gouday.exe, Explorer, d3dupdate.exe, rate.exe, direct.exe,
OLE, Windows Services Host, winupd.exe, and sysmon.exe from
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Afterwards, it deletes certain Registry subkeys, including
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\PINF,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch,
and
HKEY_CLASSES_ROOT\CLSID\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
Next, Netsky.P searches for folders with certain strings,
such as icq, ftp htdocs http, morpheus. mule, my shared folder,
kazaa, http, and lime. If successful in finding a string it
has been looking for, it copies itself into the folder as
an .exe file with a name such as "Adobe Premiere 10.exe,"
"ACDSee 10.exe," "Britney Spears full album.mp3.exe,"
"Britney sex xxx.jpg.exe," "Cloning.doc.exe,"
and others (some of which are sexually explicit). Netsky.P
searches every drive from C: to Z: for files (such as files
with .doc, .sht, .uin, and .vbs extensions) that may contain
email addresses, and records every address it finds. Next,
it creates a Simple Mail Transfer Protocol (SMTP) engine,
from which it spews messages containing infected attachments
to addresses it has found. It avoids sending these messages
to any address that has certain strings such as @fbi, @f-secur,
@skynet, @antivi, @avp, @f-pro, @norton, @spam and @Symantec,
however.
What to Do If Your System Is Infected
If your system is infected by Netsky.P, download and run
the Netsky
removal tool. Then follow the instructions on this page,
which show you how to perform a Live Update of your system’s
anti-virus software, restart your computer in Safe mode or
VGA mode (if applicable to your system), run an anti-virus
scan in which any viruses that are identified are eradicated,
and ensure that your Registry does not contain any values
added by this worm.
Preventing Netsky.P Infections
Be sure to immediately update your system's anti-virus software
daily. Go here
for procedures for updating anti-virus software. Refrain from
opening or forwarding any attachment that you are not expecting.
The Netsky.Y Worm
Netsky.Y (W32/Netsky.aa@MM or Worm.Netsky.Y) is yet another
mass-mailing worm that targets Windows systems and spoofs
sender addresses to fool recipients of messages it sends.
It arrives as what appears to be a mail delivery failure notice
with a subject of:
Subject: Delivery failure notice (ID-<random number>)
And a message body that begins with:
--- Mail Part Delivered ---
The attachment is:
www.<random domain name>.<random username>.session-<random
number>.com
This worm copies itself into the system folder of each system
it infects as FirewallSvr.exe and then adds a value, "FirewallSvr"="%Windir%\FirewallSvr.exe,"
to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that this worm starts every time the infected system is
booted. Netsky.Y creates a special routine (a “mutex”)
that allows only one copy of this worm to infect a system.
It adds a MIME-encoded copy of itself to the system directory
and activates TCP port 82 to allow attackers to send and then
remotely run an executable. [Between April 28 and 30, 2004,
Netsky.Y launched a denial-of-service attack against three
Web sites (www.medinfo.ufl.edu, www.educa.ch, and www.nibis.de).]
Next, it obtains email addresses in files in the infected
system, creates an SMTP engine, and mails copies of itself
to addresses it has found as well as to hukanmikloiuo@yahoo.com.
The worm also tries to use the infected system’s default
DNS server to get the IP address of this machine’s email
server; if unsuccessful in finding the DNS server, it tries
to use other predesignated DNS servers.
Netsky.Y scans all hard drives for files with extensions
such as .rtf, .txt, .tbb, .eml, and .ppt, looking for and
recording any email addresses that it finds. It then starts
a Simple Mail Transfer Protocol (SMTP) engine and sends messages
with attachments containing copies of itself to every email
address it has found as well as to hukanmikloiuo@yahoo.com.
The email addresses it finds are also used as senders’
addresses.
How to Recover If Your System Becomes Infected
To recover, Symantec recommends that you:
• Disable System Restore in Windows Me and XP
• Update your computer’s anti-virus software.
• Restart your computer in Safe or VGA mode.
• Perform a system scan on all hard drives, and delete
any copies of this worm.
• Correct any Registry changes that Netsky.Y has made.
A recovery tool for Netsky infections is available here.
Running this tool, however, will not completely reverse all
of the many changes that Netsky.Y makes in systems that it
infects.
Preventing Netsky.Y Infections
Be sure to immediately update your system's anti-virus software
daily. Go here
for procedures for updating anti-virus software. Refrain from
opening or forwarding any attachment that you are not expecting.
The Netsky.Z Worm
The Netsky.Z worm (also known as W32/Netsky.z@MM) is still
another mass-mailing worm that targets Windows systems and
spoofs sender addresses to fool recipients of messages it
sends. It arrives as a message with a variety of subject lines,
messages, and attachment names. Subject lines include: “Hello,”
“Hi,” “Important,” “Important
bill!,” “Important data!”, “Important
details!”, “Important document!”, “Important
informations!”, “Important notice!”, “Important
textfile!”, “Important!”, and “Information.”
The attachment is always a .zip file with one of the following
names: Bill.zip, Data.zip, Details.zip, Important.zip, Informations.zip,
Notice.zip, Part-2.zip, or Textfile.zip.
How Netsky.Z Infects Your System
This worm copies itself into the system folder of each system
it infects as Jammer2nd.exe and then adds a value, "Jammer2nd"
= %WinDir%\JAMMER2ND.EXE," to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This allows the worm to start every time the infected system
is booted. Netsky.Z creates a zip file that includes a copy
of the worm that is written to %systemroot%\PK_ZIP_ALG.LOG,
where %systemroot% is the installation folder. It also creates
eight MIME-encoded zip files containing the worm named %systemroot%\PK_ZIPn.LOG;
"n" is an integer between 1 and 8. Additionally,
it creates a special routine [a "mutex" named "(S)(k)(y)(N)(e)(t)"]
that allows only one copy of the worm to infect a system.
If the system clock indicates that the date is between May
2, 2004, and May 5, 2004, Netsky.Z will try to launch denial-of-service
attacks against certain Web sites, namely:
- www.nibis.de
- www.medinfo.ufl.edu
- www.educa.ch
Netsky.Z activates TCP port 665 to allow attackers to send
to and then remotely run an executable on the infected machine,
allowing them to gain unauthorized remote control of the machine.
This worm also attempts to use the default DNS server for
the infected machine to obtain the IP address of the infected
machine’s email server; if unsuccessful in doing so,
it subsequently tries to contact a number of predesignated
DNS servers such as those with IP addresses of 145.253.2.171,
151.189.13.35 and 193.141.40.42. Additionally, this worm obtains
email addresses from files in the infected system, creates
a mail engine, and mails copies of itself to the addresses
it has found, as well as to jamainlbbbsdef@yahoo.com.
How to Recover if Your System Becomes Infected
A recovery tool for Netsky infections is available from Symantec.
If your system is infected, you should try running this tool
first. Running this tool, however, will not completely reverse
all of the many changes that Netsky.Z makes in systems that
it infects. To ensure that other changes are reversed, do
the following:
- Disable System Restore in Windows Me and XP
.
- Update your computer’s anti-virus software
.
- Restart your computer in Safe or VGA mode.
- Perform a system scan on all hard drives and delete any
copies of this worm
.
- Correct any Registry changes that Netsky.Z has made.
Preventing Netsky.Z Infections
Update your system's anti-virus software daily. Go here
for procedures on updating anti-virus software. Do not open
or forward any attachment that you are not expecting.
<<Back
to Virus Archive home
|
