Threat Descriptions

Email-Worm:W32/NetSky.P

Classification

Category :

Malware

Type :

Email-Worm

Platform :

W32

Aliases :

Email-Worm:W32/NetSky.P, Win32.netsky.p@mm

Summary

Email-Worm:W32/Netsky.P mass-mails itself to new victims using both email and by copying itself across local networks (LAN) and Peer-to-Peer (P2P) networks, as well as FTP and HTTP folders.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm's file is spread as a dropper that is a Windows PE executable 29568 bytes long, packed with FSG file. When the dropper is run, it extracts the main worm's file that is 26624 bytes long and is packed with a modified UPX file compressor. That file is a DLL, so Netsky authors started to use a new approach to installing the worm to a system.

Netsky.P continues the ongoing feud with the Bagle worm's author.

Netsky.P was discovered on March 21st, 2004

Installation

Upon execution Netsky.P copies itself as FVPROTECT.EXE file to Windows folder and then extracts the main worm component as USERCONFIG9X.DLL to the same folder. The worm adds a startup key for one of the dropped files into System Registry:

  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Norton Antivirus AV" = "%WinDir%\fvprotect.exe"

where %WinDir% represents Windows folder name. Additionally the worm drops the following files into Windows folder:

  • zipped.tmp
  • base64.tmp
  • zip1.tmp
  • zip2.tmp
  • zip3.tmp

These files contain UUEncoded worm's executable file and ZIP archives (3 different variants). These 3 archives contain worm's executables with the following names:

  • document.txt [lots spaces].exe
  • data.rtf [lots spaces].scr
  • details.txt [lots spaces].pif

Activity

NetSky.P worm removes Registry keys of several Bagle worm variants if it finds them on an infected computer. At least the last 9 keys (listed below) belong to earlier Bagle variants.

This worm variant contains another insulting message for the author of Bagle worm.

Registry Changes

NetSky.P deletes the following Registry keys:

  • [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]
  • [HKLM\System\CurrentControlSet\Services\WksPatch]
  • [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] system. Video
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] system. msgsvr32 winupd.exe direct.exe jijbl Video service DELETE ME Taskmon Explorer
  • [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] OLE Sentry Taskmon Windows Services Host Explorer gouday.exe au.exe direct.exe d3dupdate.exe rate.exe sysmon.exe srate.exe ssate.exe winupd.exe

Propagation (email)

Before spreading in email the worm collects email addresses. It scans all files on all drives from C: to Z: except CD-ROM drives. If any file with the following extensions is found, the worm opens it and searches for email addresses there:

  • .pl
  • .htm
  • .html
  • .eml
  • .txt
  • .php
  • .asp
  • .wab
  • .doc
  • .vbs
  • .rtf
  • .uin
  • .shtm
  • .cgi
  • .dhtm
  • .adb
  • .tbb
  • .dbx
  • .sht
  • .oft
  • .msg
  • .jsp
  • .wsh
  • .xml

The worm avoids sending emails to addresses that contain the following substrings:

  • @microsof
  • @antivi
  • @symantec
  • @spam
  • @avp
  • @f-secur
  • @bitdefender
  • @norman
  • @mcafee
  • @kaspersky
  • @f-pro
  • @norton
  • @fbi
  • abuse@
  • @messagel
  • @skynet
  • @pandasof
  • @freeav
  • @sophos
  • ntivir
  • @viruslis
  • noreply@
  • spam@
  • reports@

The worm composes over 30 different types of emails. Subjects, body texts and attachment names are randomly selected from the variants that are hardcoded in the worm's body. These are the variants of the messages that the worm can send out:

Subject:

  • Re: Hi
  • Re: Hello

Body:

  • Please confirm!
  • Please answer quickly!

Attachment:

  • detail3.
  • document_all02c.
  • summary2004.

----------------- or -----------------

Subject:

  • Re: Request

Body: Thank you for your request, your details are attached!Thanks! Attachment:

  • details05.
  • data02.
  • all_in_all.

----------------- or -----------------

Subject:

  • Shocking document
  • You cannot do that!

Body: I am shocked about your document!Let'us be short: you have no experience in writing letters!!! Attachment:

  • document05.
  • your_document.
  • document_with_notice.

----------------- or -----------------

Subject:

  • hi
  • hello

Body: Try this, or nothing!Here is it! Attachment:

  • document05.
  • game_xxo.
  • websites03.

----------------- or -----------------

Subject:

  • Fwd: Warning again
  • Notice again

Body: Do not visit this illegal websites!You have downloaded these illegal cracks?.

Attachment:

  • abuselist.
  • abuses.
  • websites01.

----------------- or -----------------

Subject:

  • Re: List
  • Re: Question

Body: Here is my icq list.Here is my phone number.

Attachment:

  • my_list01.
  • my_numbers.
  • archive.

----------------- or -----------------

Subject:

  • Spamed?
  • Spam

Body: I have visited this website and I found you in the spammer list. Is that true?Are you a spammer? (I found your email on a spammer website!?!) Attachment:

  • websitelist01.
  • list_ed.
  • abuse_list.

----------------- or -----------------

Subject:

  • 0i09u5rug08r89589gjrg

Body: po44u90ugjid-k9z5894z09u049u89gh89fsdpokofkdpbm3-4i Attachment:

  • id04009.
  • id43342.
  • id09509.

----------------- or -----------------

Subject:[random]

Body:[random]

Attachment:

  • important.
  • details.
  • message.

----------------- or -----------------

Subject:

  • Re: A!p$ghsa
  • Important m$6h?3p

Body: Please r564g!he4a56a3haafdogu#mfn3oSMTP Error #201 See the ghg5%&6gfz65!4Hf55d!46gfgfServer Error #203 Attachment:

  • important.
  • details03.
  • document07.

----------------- or -----------------

Subject:

  • Do you?
  • Does it matter?

Body: Your photo, uahhh.... , you are naked!You have written a very good text, excellent, good work! Attachment:

  • text01.
  • details.
  • d4334938.

----------------- or -----------------

Subject:

  • News
  • Information

Body: Your archive is attached.Monthly news report.

Attachment:

  • news01.
  • info02.
  • report01.

----------------- or -----------------

Subject:

  • I love you!
  • I cannot forget you!

Body: lovely, :-)your big love, ;-) Attachment:

  • letter43.
  • story.
  • photo.

----------------- or -----------------

Subject:

  • Re: Proof of concept
  • Re: Developement

Body: I hope you accept the result!The sample is attached! Attachment:

  • document09.
  • part_01.
  • doc_word3.

----------------- or -----------------

Subject:

  • Re: Message
  • Re: Error in document

Body: Your important document, correction is finished!Important message, do not show this anyone! Attachment:

  • attach.
  • document.
  • message.

----------------- or -----------------

  • Subject:
  • Re: Free porn
  • Re: Sex pictures

Body: Here is the website. ;-)My favourite page.

Attachment:

  • www.freeporn4all.
  • www.myx4free.

----------------- or -----------------

Subject:

  • Re: Submit a Virus Sample
  • Re: Virus Sample

Body: The sample file you sent contains a new virus version of mydoom.j.Please clean your system with the attached signature.Sincerly,Robert Ferrew The sample file you sent contains a new virus version of buppa.k.Please update your virus scanner with the attached dat file.Best Regards,Keria Reynolds Attachment:

  • signature.
  • datfiles.

----------------- or -----------------

Subject:

  • Re: Old times
  • Re: Old photos

Body:

  • Greetings from france, your friend.

Have a look at these.

Attachment:

  • old_photos.
  • letter.

----------------- or -----------------

Subject:

  • Postcard
  • Your day

Body:

  • Best wishes, your friend. Congratulations!, your best friend.

Attachment:

  • postcard.
  • letter.

----------------- or -----------------

Subject:

  • Re: Sample
  • Re: Question

Body:

  • I have corrected your document.
  • I have attached the sample.

Attachment:

  • sample01.
  • doc01.
  • word_doc.
  • document04.

----------------- or -----------------

Subject:

  • Thank you!
  • Congratulations!

Body:

  • Your bill is attached to this mail. You were registered to the pay system. For more details see the attachment.

Attachment:

  • bill.
  • list.
  • confirm.
  • details.

----------------- or -----------------

Subject:

  • Illegal Website
  • Internet Provider Abuse

Body:

  • I noticed that you have visited illegal websites. See the name in the list!
  • You have visited illegal websites. I have a big list of the websites you surfed.

Attachment:

  • list.
  • abuselist.
  • judge.
  • readme.
  • details.

----------------- or -----------------

Subject:

  • Mail Account
  • Administrator

Body:

  • Your mail account is expired. See the details to reactivate it.
  • Your mail account has been closed. For further details see the document.

Attachment:

  • account.
  • readme.
  • details.

----------------- or -----------------

Subject:

  • Re: Hi
  • Re: Its me

Body:

  • The file is protected with the password ghj001.
  • I have attached your file. Your password is jkl44563.

Attachment:

  • document.
  • document43.
  • priv.
  • letter32.
  • data20.
  • mails9.
  • your_doc.
  • my_details.

----------------- or -----------------

Subject:

  • Private document
  • Stolen document

Body:

  • I found this document about you.
  • I cannot believe that.

Attachment:

  • document342.
  • your_document.
  • about_you.

----------------- or -----------------

Subject:

  • Hello
  • Hi

Body:

  • Try this game ;-)
  • I hope the patch works.

Attachment:

  • game.
  • patch3425.
  • application.
  • software.

----------------- or -----------------

Subject:

  • Mail Delivery (failure)
  • Error

Body:

  • Binary message is available.
  • Message has been sent as a binary attachment.

Attachment:

  • message.
  • msg.
  • data.
  • letter.
  • email.

----------------- or -----------------

Subject:

  • Re: Is that your document?
  • Is that your password?

Body:

  • Can you confirm it?
  • I have attached it to this mail.

Attachment:

  • document.
  • pwd02.
  • document01.
  • part6.
  • private_01.

----------------- or -----------------

Subject:

  • Re: Approved document
  • Re: Your document

Body:

  • Please read the attached file.
  • Your document is attached.

Attachment:

  • file.
  • your_document.
  • about_you.
  • document04.
  • msg.
  • all_doc01.
  • document.
  • approved.
  • improved.
  • corrected.

----------------- or -----------------

Subject:

  • Protected Mail System
  • Mail Authentication

Body:

  • Encrypted message is available.
  • Protected message is attached.

Attachment:

  • pgp_sess01.
  • encrypted_msg01.
  • document.
  • message.
  • msg.

----------------- or -----------------

Subject:

  • Re: Mail Authentification
  • Re: Delivery Protection
  • Re: Secure delivery
  • Re: Protected Mail Delivery
  • Re: Protected Mail System
  • Re: Protected Mail Request
  • Re: Secure SMTP Message
  • Re: Extended Mail System
  • Re: Error
  • Re: Message Error
  • Re: Administration
  • Re: Test
  • Re: Thank you for delivery
  • Re: Failure
  • Re: Bad Request
  • Re: Delivery Server
  • Re: Mail Server
  • Re: SMTP Server
  • Re: Notify
  • Re: Status
  • Re: Extended Mail
  • Re: Encrypted Mail

Body:

  • Please confirm my request.
  • ESMTP [Secure Mail System #334]: Secure message is attached.
  • Partial message is available.
  • Waiting for a Response. Please read the attachment.
  • First part of the secure mail is available.
  • For more details see the attachment.
  • For further details see the attachment.
  • Your requested mail has been attached.
  • Protected Mail System Test.
  • Secure Mail System Beta Test.
  • Forwarded message is available.
  • Delivered message is attached.
  • Encrypted message is available.
  • Please read the attachment to get the message.
  • Follow the instructions to read the message.
  • Please authenticate the secure message.
  • Protected message is attached.
  • Waiting for authentification.
  • Protected message is available.
  • Bad Gateway: The message has been attached.
  • SMTP: Please confirm the attached message.
  • You got a new message.
  • Now a new message is available.
  • New message is available.
  • You have received an extended message. Please read the instructions.

Attachment:

  • message.
  • msg.
  • details.
  • data.
  • document.
  • readme.

----------------- or -----------------

Subject:

  • here
  • hi
  • hello
  • thanks!
  • approved
  • corrected
  • patched
  • improved
  • important
  • read it immediately

Body:

  • Your details.
  • Your document.
  • I have received your document. The corrected document is attached.
  • I have attached your document.
  • Your document is attached to this mail.
  • Authentication required.
  • Requested file.
  • See the file.
  • Please read the important document.
  • Please confirm the document.
  • Your file is attached.
  • Please read the document.
  • Your document is attached.
  • Please read the attached file!
  • Please see the attached file for details.

Attachment:

  • your
  • my
  • approved
  • important

combined with the following:

  • document.
  • file.
  • details.
  • information.
  • letter.
  • product.
  • website.
  • application.
  • screensaver.
  • bill.
  • word document.
  • excel document.
  • data.
  • message.
  • text.
  • document_all.

The [ext] represents the extension that can be single or double. The first extension can be:

  • [ext].txt
  • [ext].doc

The second extension can be:

  • [ext].pif
  • [ext].exe
  • [ext].scr

The infected attachment name can contain random numbers and can be sent in a ZIP archive. The worm can add a fake scan report to the end of an infected message. The following variants of scan report are used:

  • +++ Attachment: No Virus found +++ MessageLabs AntiVirus - www.messagelabs.com
  • +++ Attachment: No Virus found +++ Bitdefender AntiVirus - www.bitdefender.com
  • +++ Attachment: No Virus found +++ MC-Afee AntiVirus - www.mcafee.com
  • +++ Attachment: No Virus found +++ Kaspersky AntiVirus - www.kaspersky.com
  • +++ Attachment: No Virus found +++ Panda AntiVirus - www.pandasoftware.com
  • ++++ Attachment: No Virus found ++++ Norman AntiVirus - www.norman.com
  • ++++ Attachment: No Virus found ++++ F-Secure AntiVirus - www.f-secure.com
  • ++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.de

The worm can send messages with an IFrame Exploit that allows the worm's attachment MESSAGE.SCR to be automatically run on certain versions of email clients.

Propagation (LAN, P2P networks, FTP and HTTP folders)

The worm scans all drives from C: to Z: except CD-ROM drives. If it finds folders with any of the following names:

  • my shared folder
  • download
  • ftp
  • htdocs
  • http
  • upload
  • shar
  • icq
  • bear
  • lime
  • morpheus
  • donkey
  • mule
  • kazaa
  • shared files

Then copies itself there multiple times with the following names:

  • Kazaa Lite 4.0 new.exe
  • Britney Spears Sexy archive.doc.exe
  • Kazaa new.exe
  • Britney Spears porn.jpg.exe
  • Harry Potter all e.book.doc.exe
  • Britney sex xxx.jpg.exe
  • Harry Potter 1-6 book.txt.exe
  • Britney Spears blowjob.jpg.exe
  • Harry Potter e book.doc.exe
  • Britney Spears cumshot.jpg.exe
  • Harry Potter.doc.exe
  • Britney Spears fuck.jpg.exe
  • Harry Potter game.exe
  • Britney Spears.jpg.exe
  • Harry Potter 5.mpg.exe
  • Britney Spears and Eminem porn.jpg.exe
  • Matrix.mpg.exe
  • Britney Spears Song text archive.doc.exe
  • Britney Spears full album.mp3.exe
  • Eminem.mp3.exe
  • Britney Spears.mp3.exe
  • Eminem Song text archive.doc.exe
  • Eminem Sexy archive.doc.exe
  • Eminem full album.mp3.exe
  • Eminem Spears porn.jpg.exe
  • Ringtones.mp3.exe
  • Eminem sex xxx.jpg.exe
  • Ringtones.doc.exe
  • Eminem blowjob.jpg.exe
  • Altkins Diet.doc.exe
  • Eminem Poster.jpg.exe
  • American Idol.doc.exe
  • Cloning.doc.exe
  • Saddam Hussein.jpg.exe
  • Arnold Schwarzenegger.jpg.exe
  • Windows 2003 crack.exe
  • Windows XP crack.exe
  • Adobe Photoshop 10 crack.exe
  • Microsoft WinXP Crack full.exe
  • Teen Porn 15.jpg.pif
  • Adobe Premiere 10.exe
  • Adobe Photoshop 10 full.exe
  • Best Matrix Screensaver new.scr
  • Porno Screensaver britney.scr
  • Dark Angels new.pif
  • XXX hardcore pics.jpg.exe
  • Microsoft Office 2003 Crack best.exe
  • Serials edition.txt.exe
  • Screensaver2.scr
  • Full album all.mp3.pif
  • Ahead Nero 8.exe
  • netsky source code.scr
  • E-Book Archive2.rtf.exe
  • Doom 3 release 2.exe
  • How to hack new.doc.exe
  • Learn Programming 2004.doc.exe
  • WinXP eBook newest.doc.exe
  • Win Longhorn re.exe
  • Dictionary English 2004 - France.doc.exe
  • RFC compilation.doc.exe
  • 1001 Sex and more.rtf.exe
  • 3D Studio Max 6 3dsmax.exe
  • Keygen 4 all new.exe
  • Windows 2000 Sourcecode.doc.exe
  • Norton Antivirus 2005 beta.exe
  • Gimp 1.8 Full with Key.exe
  • Partitionsmagic 10 beta.exe
  • Star Office 9.exe
  • Magix Video Deluxe 5 beta.exe
  • Clone DVD 6.exe
  • MS Service Pack 6.exe
  • ACDSee 10.exe
  • Visual Studio Net Crack all.exe
  • Cracks & Warez Archiv.exe
  • WinAmp 13 full.exe
  • DivX 8.0 final.exe
  • Opera 11.exe
  • Internet Explorer 9 setup.exe
  • Smashing the stack full.rtf.exe
  • Ulead Keygen 2004.exe
  • Lightwave 9 Update.exe
  • The Sims 4 beta.exe

This feature allows the worm to spread to local network, to shared folders of P2P (peer-to-peer) clients and to ftp and http server folders (if such servers are present on an infected computer or on computers that have open shares with an infected one). Additionally it allows the worm to copy itself multiple times on a local hard disk.