Virus Alert Notification
Win32.Netsky.D Worm
Alias: I-Worm.NetSky.d (Kaspersky),
W32/Netsky.d@MM (McAfee),
WORM_NETSKY.D (Trend)
Category: Win32
Type: Worm
Published Date: 1/03/2004
Last Modified: 1/03/2004
CHARACTERISTICS
Win32.Netsky.D is a worm that spreads through e-mail system. The worm is distributed as a 17,424-bytes PEtite compressed Win32 executable.
Method of Installation
When run, it creates a mutex called "[SkyNet.cz]SystemsMutex", in order to avoid running multiple copies of itself.
It copies itself to:
%Windows%\WINLOGON.EXE
It adds a value to the registry to ensure this copy is run each time Windows starts:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ICQ Net = "%Windows%\winlogon.exe -stealth"
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Method of Distribution
Via E-mail
Netsky.D searches through files with the following extensions, looking for e-mail addresses to send itself to:
eml
txt
php
pl
htm
html
vbs
rtf
uin
asp
wab
doc
adb
tbb
dbx
sht
oft
msg
shtm
cgi
dhtm
It avoids using addresses that contains the following strings:
icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
The worm searches drives c: to z:, but avoids searching CDROM drives.
Netsky.D sends itself through e-mail using its own SMTP engine. It spoofs the 'From' address of the message by inserting one of the e-mail addresses that it harvested from the affected machine.
The message subject is chosen at random from this list:
Re: Document
Re: Re: Document
Re: Re: Thanks!
Re: Thanks!
Re: Your document
Re: Here is the document
Re: Your picture
Re: Re: Message
Re: Hi
Re: Hello
Re: Re: Re: Your document
Re: Here
Re: Your music
Re: Your software
Re: Approved
Re: Details
Re: Excel file
Re: Word file
Re: My details
Re: Your details
Re: Your bill
Re: Your text
Re: Your archive
Re: Your letter
Re: Your product
Re: Your website
Possible message body:
Your document is attached.
Here is the file.
See the attached file for details.
Please have a look at the attached file...
Please read the attached file.
Your file is attached.
Possible attachment names:
your_document.pif
your_document.pif
document.pif
message_part2.pif
your_document.pif
document_full.pif
your_picture.pif
message_details.pif
your_file.pif
your_picture.pif
document_4351.pif
yours.pif
mp3music.pif
application.pif
all_document.pif
my_details.pif
document_excel.pif
document_word.pif
my_details.pif
your_details.pif
your_bill.pif
your_text.pif
your_archive.pif
your_letter.pif
your_product.pif
your_website.pif
The worm creates 8 threads to run it's emailing routine, presumably to increase its speed of spreading.
The worm attempts to use the local system's DNS server to resolve the mail server address of each targeted email account. If it cannot use this DNS server, it will go through a list of 25 IP addresses stored inside its own code.
Payload
Removes Registry Values
The worm removes these registry values, some of which are associated with other worms:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sentry
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system.
It also deletes these registry keys, and any values contained within them:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HLKM\System\CurrentControlSet\Services\WksPatch
Causes Noise
If the system date isMarch 2nd, 2004, and the hour of the day is 6, 7 or 8, the worm continuously generates short, sharp, randomly pitched beeping sounds through the speaker, waiting 0.05 second in between.
Analysis by Sha-Li Hsieh and Vitaly Neyman
Win32.Netsky.D Worm
Alias: I-Worm.NetSky.d (Kaspersky),
W32/Netsky.d@MM (McAfee),
WORM_NETSKY.D (Trend)
Category: Win32
Type: Worm
Published Date: 1/03/2004
Last Modified: 1/03/2004
CHARACTERISTICS
Win32.Netsky.D is a worm that spreads through e-mail system. The worm is distributed as a 17,424-bytes PEtite compressed Win32 executable.
Method of Installation
When run, it creates a mutex called "[SkyNet.cz]SystemsMutex", in order to avoid running multiple copies of itself.
It copies itself to:
%Windows%\WINLOGON.EXE
It adds a value to the registry to ensure this copy is run each time Windows starts:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ICQ Net = "%Windows%\winlogon.exe -stealth"
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Method of Distribution
Via E-mail
Netsky.D searches through files with the following extensions, looking for e-mail addresses to send itself to:
eml
txt
php
pl
htm
html
vbs
rtf
uin
asp
wab
doc
adb
tbb
dbx
sht
oft
msg
shtm
cgi
dhtm
It avoids using addresses that contains the following strings:
icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
The worm searches drives c: to z:, but avoids searching CDROM drives.
Netsky.D sends itself through e-mail using its own SMTP engine. It spoofs the 'From' address of the message by inserting one of the e-mail addresses that it harvested from the affected machine.
The message subject is chosen at random from this list:
Re: Document
Re: Re: Document
Re: Re: Thanks!
Re: Thanks!
Re: Your document
Re: Here is the document
Re: Your picture
Re: Re: Message
Re: Hi
Re: Hello
Re: Re: Re: Your document
Re: Here
Re: Your music
Re: Your software
Re: Approved
Re: Details
Re: Excel file
Re: Word file
Re: My details
Re: Your details
Re: Your bill
Re: Your text
Re: Your archive
Re: Your letter
Re: Your product
Re: Your website
Possible message body:
Your document is attached.
Here is the file.
See the attached file for details.
Please have a look at the attached file...
Please read the attached file.
Your file is attached.
Possible attachment names:
your_document.pif
your_document.pif
document.pif
message_part2.pif
your_document.pif
document_full.pif
your_picture.pif
message_details.pif
your_file.pif
your_picture.pif
document_4351.pif
yours.pif
mp3music.pif
application.pif
all_document.pif
my_details.pif
document_excel.pif
document_word.pif
my_details.pif
your_details.pif
your_bill.pif
your_text.pif
your_archive.pif
your_letter.pif
your_product.pif
your_website.pif
The worm creates 8 threads to run it's emailing routine, presumably to increase its speed of spreading.
The worm attempts to use the local system's DNS server to resolve the mail server address of each targeted email account. If it cannot use this DNS server, it will go through a list of 25 IP addresses stored inside its own code.
Payload
Removes Registry Values
The worm removes these registry values, some of which are associated with other worms:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sentry
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system.
It also deletes these registry keys, and any values contained within them:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HLKM\System\CurrentControlSet\Services\WksPatch
Causes Noise
If the system date isMarch 2nd, 2004, and the hour of the day is 6, 7 or 8, the worm continuously generates short, sharp, randomly pitched beeping sounds through the speaker, waiting 0.05 second in between.
Analysis by Sha-Li Hsieh and Vitaly Neyman
At least I didn't open it because I have never even contemplated buying a luxury vehicle but obviously employees there were not taught not to open attachments unless they had requested them...