Threat Descriptions

NetSky.A

Classification

Category :

Malware

Type :

-

Platform :

-

Aliases :

NetSky.A, I-Worm.Moodown, W32/Netsky.A@mm, Moodown

Summary

Moodown worm was found on 16th of February 2004. Initially it was sent out in numerous seed emails. The worm spreads itself in emails inside a ZIP archive or as an executable attachment. It also copies itself to shared folders of all available drives. This allows the worm to spread in P2P (peer-to-peer) and local networks.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Installation to system

When the worm's file is run, it first shows a fake error messagebox: 

Error
 The file could not be opened!

Then the worm copies itself to Windows directory with SERVICES.EXE name and creates a startup key for this file in System Registry: 

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"service" = "%windir%\services.exe -serv"

where %windir% represents Windows directory. At the same time the worm also attempts to delete the following key values: 

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskmon"
"Explorer"
"system."
"KasperskyAv"

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskmon"
"Explorer"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"system."

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

After that the worm starts looking for email addresses. It scans files with the following extensions on all available drives (c:-z:) except CD-ROM drives: 

.msg
.oft
.sht
.dbx
.tbb
.adb
.doc
.wab
.asp
.uin
.rtf
.vbs
.html
.htm
.pl
.php
.txt
.eml

If the worm finds a folder with the 'sharing' or 'share' name, it copies itself to that folder with the following names: 

winxp_crack.exe
dolly_buster.jpg.pif
strippoker.exe
photoshop 9 crack.exe
matrix.scr
porno.scr
angels.pif
hardcore porn.jpg.exe
office_crack.exe
serial.txt.exe
cool screensaver.scr
eminem - lick my pussy.mp3.pif
nero.7.exe
virii.scr
e-book.archive.doc.exe
max payne 2.crack.exe
how to hack.doc.exe
programming basics.doc.exe
e.book.doc.exe
win longhorn.doc.exe
dictionary.doc.exe
rfc compilation.doc.exe
sex sex sex sex.doc.exe
doom2.doc.pif

Spreading in emails

When Internet connection is available, the worm starts to spread itself. It creates ZIP archives with its file in Windows directory. The names of these ZIP archives are the same as the names of worm's files inside: 

prod_info_04155.bat
prod_info_54234.scr
prod_info_42313.pif
prod_info_33462.cmd
prod_info_49541.exe
prod_info_04650.bat
prod_info_54739.scr
prod_info_42818.pif
prod_info_33967.cmd
prod_info_49146.exe
prod_info_54235.scr
prod_info_42314.pif
prod_info_54433.doc.exe
prod_info_47532.doc.scr
prod_info_43631.doc.exe
prod_info_56780.doc.exe
prod_info_43859.htm.scr
prod_info_87968.htm.scr
prod_info_34157.htm.exe
prod_info_77256.txt.scr
prod_info_33325.txt.exe
prod_info_56474.txt.exe
prod_info_33543.rtf.scr
prod_info_65642.rtf.scr
prod_info_55761.rtf.exe

The worm spreads itself in emails as a ZIP attachment or as an attachment with one of the above shown names. The infected emails sent by the worm look like that: 

From:
 EBay Auctions [responder@ebay.com]

or

Yahoo Auctions [auctions@yahoo.com]

or

Amazon automail [responder@amazon.com]

or

MSN Auctions [auctions@msn.com]

or

QXL Auctions [responder@qxl.com]

or

Ebay Auctions [responder@ebay.com]
 Subject:

Auction successful!
 Body:

#----------------- message was sent by automail agent ------------------#

Congratulations!

You were successful in the auction.

Auction ID [random number]
Product ID [random number]

A detailed description about the product and the bill
are attached to this mail.
Please contact the seller immediately

Thank you!

The worm's file is attached to the infected email inside a ZIP archive or as an normal binary file. The following ZIP attachent names are used by the worm: 

prod_info_04155.zip
prod_info_54234.zip
prod_info_42313.zip
prod_info_33462.zip
prod_info_49541.zip
prod_info_04650.zip
prod_info_54739.zip
prod_info_42818.zip
prod_info_33967.zip
prod_info_49146.zip
prod_info_54235.zip
prod_info_42314.zip
prod_info_54433.zip
prod_info_47532.zip
prod_info_43631.zip
prod_info_56780.zip
prod_info_43859.zip
prod_info_87968.zip
prod_info_34157.zip
prod_info_77256.zip
prod_info_33325.zip
prod_info_56474.zip
prod_info_33543.zip
prod_info_65642.zip
prod_info_55761.zip

A recipient has to unpack the worm's attachment from a ZIP archive and run it to get infected.