Win32.Netsky.B Worm
Alias: I-Worm.Moodown.b (Kaspersky),
W32.Netsky.B@mm (Symantec),
W32/Netsky.B@mm (F-Secure),
W32/Netsky.b@MM (McAfee),
Win32/Netsky.B.Worm,
WORM_NETSKY.B (Trend)
Category: Win32
Type: Worm
Published Date: 2/18/2004
Last Modified: 2/18/2004
CHARACTERISTICS
Win32.Netsky.B is a worm that spreads through e-mail and peer-to-peer sharing networks.
Method of Installation
When run, it creates a mutex called "AdmSkynetJklS003", in order to avoid running multiple copies of itself.
It displays a fake error message, which reads:
Error
The file could not be opened!
It copies itself to:
%Windows%\services.exe
It also adds a value to the registry to ensure this copy is run each time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service = "%Windows%\services.exe -serv"
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Method/s of Distribution
Via E-mail
Netsky.B searches through files with the following extensions, looking for e-mail addresses to send itself to:
eml
txt
php
pl
htm
html
vbs
rtf
uin
asp
wab
doc
adb
tbb
dbx
sht
oft
msg
Netsky.B sends itself through e-mail using its own SMTP engine. The message subject is chosen at random from the following:
hi
hello
read it immediately
something for you
warning
information
stolen
fake
unknown
The message body is chosen from this list:
anything ok?
what does it mean?
ok
i'm waiting
read the details.
here is the document.
read it immediately!
my hero
here
is that true?
is that your name?
is that your account?
i wait for a reply!
is that from you?
you are a bad writer
I have your password!
something about you!
kill the writer of this document!
i hope it is not true!
your name is wrong
i found this document about you
yes, really?
that is bad
here it is
see you
greetings
stuff about you?
something is going wrong!
information about you
about me
from the chatter
here, the serials
here, the introduction
here, the cheats
that's funny
do you?
reply
take it easy
why?
thats wrong
misc
you earn money
you feel the same
you try to steal
you are bad
something is going wrong
something is fool
The attachment name is generated in several parts. The first part is chosen from:
document
msg
doc
talk
message
creditcard
details
attachment
me
stuff
posting
textfile
concert
information
note
bill
swimmingpool
product
topseller
ps
shower
aboutyou
nomoney
found
story
mails
website
friend
jokes
location
final
release
dinner
ranking
object
mail2
part2
disco
party
misc
The second part may be chosen from this list, or may be omitted altogether:
.txt
.rtf
.doc
.htm
The final part is chosen from:
.exe
.scr
.com
.pif
For example:
aboutyou.pif
bill.txt.scr
The attachment may also be sent inside a ZIP archive, for example:
aboutyou.zip
bill.zip
The worm creates the zip files used as mail attachments in the Windows directory.
Via P2P or Mapped Drives
The worm searches for any directories whose names contain either "share" or "sharing". It copies itself into each matching directory and subdirectories using these names:
winxp_crack.exe
dolly_buster.jpg.pif
strippoker.exe
photoshop 9 crack.exe
matrix.scr
porno.scr
angels.pif
hardcore porn.jpg.exe
office_crack.exe
serial.txt.exe
cool screensaver.scr
eminem - lick my *****.mp3.pif
nero.7.exe
virii.scr
e-book.archive.doc.exe
max payne 2.crack.exe
how to hack.doc.exe
programming basics.doc.exe
e.book.doc.exe
win longhorn.doc.exe
dictionary.doc.exe
rfc compilation.doc.exe
sex sex sex sex.doc.exe
doom2.doc.pif
The worm searches drives c: to z:, but avoids searching CDROM drives.
Payload
Removing Registry Values
The worm removes these registry values, some of which are associated with other worms:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
It also deletes this registry key, and any values contained within:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
Analysis by Hamish O'Dea
Alias: I-Worm.Moodown.b (Kaspersky),
W32.Netsky.B@mm (Symantec),
W32/Netsky.B@mm (F-Secure),
W32/Netsky.b@MM (McAfee),
Win32/Netsky.B.Worm,
WORM_NETSKY.B (Trend)
Category: Win32
Type: Worm
Published Date: 2/18/2004
Last Modified: 2/18/2004
CHARACTERISTICS
Win32.Netsky.B is a worm that spreads through e-mail and peer-to-peer sharing networks.
Method of Installation
When run, it creates a mutex called "AdmSkynetJklS003", in order to avoid running multiple copies of itself.
It displays a fake error message, which reads:
Error
The file could not be opened!
It copies itself to:
%Windows%\services.exe
It also adds a value to the registry to ensure this copy is run each time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service = "%Windows%\services.exe -serv"
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Method/s of Distribution
Via E-mail
Netsky.B searches through files with the following extensions, looking for e-mail addresses to send itself to:
eml
txt
php
pl
htm
html
vbs
rtf
uin
asp
wab
doc
adb
tbb
dbx
sht
oft
msg
Netsky.B sends itself through e-mail using its own SMTP engine. The message subject is chosen at random from the following:
hi
hello
read it immediately
something for you
warning
information
stolen
fake
unknown
The message body is chosen from this list:
anything ok?
what does it mean?
ok
i'm waiting
read the details.
here is the document.
read it immediately!
my hero
here
is that true?
is that your name?
is that your account?
i wait for a reply!
is that from you?
you are a bad writer
I have your password!
something about you!
kill the writer of this document!
i hope it is not true!
your name is wrong
i found this document about you
yes, really?
that is bad
here it is
see you
greetings
stuff about you?
something is going wrong!
information about you
about me
from the chatter
here, the serials
here, the introduction
here, the cheats
that's funny
do you?
reply
take it easy
why?
thats wrong
misc
you earn money
you feel the same
you try to steal
you are bad
something is going wrong
something is fool
The attachment name is generated in several parts. The first part is chosen from:
document
msg
doc
talk
message
creditcard
details
attachment
me
stuff
posting
textfile
concert
information
note
bill
swimmingpool
product
topseller
ps
shower
aboutyou
nomoney
found
story
mails
website
friend
jokes
location
final
release
dinner
ranking
object
mail2
part2
disco
party
misc
The second part may be chosen from this list, or may be omitted altogether:
.txt
.rtf
.doc
.htm
The final part is chosen from:
.exe
.scr
.com
.pif
For example:
aboutyou.pif
bill.txt.scr
The attachment may also be sent inside a ZIP archive, for example:
aboutyou.zip
bill.zip
The worm creates the zip files used as mail attachments in the Windows directory.
Via P2P or Mapped Drives
The worm searches for any directories whose names contain either "share" or "sharing". It copies itself into each matching directory and subdirectories using these names:
winxp_crack.exe
dolly_buster.jpg.pif
strippoker.exe
photoshop 9 crack.exe
matrix.scr
porno.scr
angels.pif
hardcore porn.jpg.exe
office_crack.exe
serial.txt.exe
cool screensaver.scr
eminem - lick my *****.mp3.pif
nero.7.exe
virii.scr
e-book.archive.doc.exe
max payne 2.crack.exe
how to hack.doc.exe
programming basics.doc.exe
e.book.doc.exe
win longhorn.doc.exe
dictionary.doc.exe
rfc compilation.doc.exe
sex sex sex sex.doc.exe
doom2.doc.pif
The worm searches drives c: to z:, but avoids searching CDROM drives.
Payload
Removing Registry Values
The worm removes these registry values, some of which are associated with other worms:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
It also deletes this registry key, and any values contained within:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
Analysis by Hamish O'Dea