Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Win32.HLLM.Netsky.35328

(Email-Worm.Win32.NetSky.q, WORM_NETSKY.P, Win32.Netsky.P@mm, W32/Netsky.p@MM, Worm/Netsky.HB, Parser error, Worm/Netsky.Q.Pk, Win32/Netsky.P!Worm, Worm/Netsky.P, Worm:Win32/Netsky.P@mm, Worm/Netsky.AP, Worm:Win32/Netsky.P@mm , WORM_NETSKY.DAM, WORM_Netsky.DAM, Worm/Netsky.O.2, W32/Netsky.gen@MM, WORM_NETsky.dam, W32/Netsky.p@MM!zip, WORM/Netsky.O.2, Packer.FSG.A, I-Worm/Netsky, W32/Cabanas, W32.Netsky.P@mm, Win32/Netsky.P@mm)

Added to the Dr.Web virus database: 2004-03-22

Virus description added:

Virus Type: Mass mailing worm

Affected OS: Win95/98/Me/NT/2000/XP

Size: 29 568 byte

Packed by: FSG

Technical Information

  • Spreads via e-mail by using its own SMTP-realization.
  • To provide its own autorun, worm creates "Norton Antivirus AV" = %Windir%\FVProtect.exe record in registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  • Creates a semaphore "_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_"
  • Copies files userconfig9x.dll, base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, zipped.tmp to % WinDir% folder.
  • Worm tries to find e-mail addresses for further spreading by scanning files with such extensions:
    .pl
    .htm
    .html
    .eml
    .txt
    .php
    .asp
    .wab
    .doc
    .vbs
    .rtf
    .uin
    .shtm
    .cgi
    .dhtm
    .adb
    .tbb
    .dbx
    .sht
    .oft
    .msg
    .jsp
    .wsh
    .xml
  • Message subject gets out of the list:
    You were registered to the pay system.
    Can you confirm it?
    Is that your password?
    Re: Is that your document?
    all_doc01
    document04
    about_you
    your_document
    Please read the attached file.
    Re: Your document
    Re: Approved document
    Encrypted_msg01 pgp_sess01
    Protected message is attached.
    Encrypted message is available.
    Mail Authentication Protected Mail System
    Please confirm my request
    readme msg
    Re: Encrypted Mail
    Re: Extended Mail
    Re: Status
    Re: Notify
    Re: SMTP Server
    Re: Mail Server
    Re: Delivery Server
    Re: Bad Request
    Re: Failure
    Re: Thank you for delivery
    Re: Test
    Re: Administration
    Re: Message Error
    Re: Error
    Re: Extended Mail System
    Re: Secure SMTP Message
    Re: Protected Mail Request
    Re: Protected Mail System
    Re: Protected Mail Delivery
    Re: Secure delivery
    Re: Delivery Protection
    Re: Mail Authentification
  • Attachment filename gets out from such list:
    text
    message data
    excel document
    screensaver
    word document
    bill
    information
    details
    file
    document
    application
    website
    product
    letter
  • Also worm is able to spread via the file exchanging networks. It scans local disk for such foldernames:

    icq
    shar
    download
    kazaa
    donkey
    mule
    bear
    morpheus
    lime

  • In case of finding the target folders worm inputs own copies with such filenames:
    XXX hardcore pics.jpg.exe
    Dark Angels new.pif
    Porno Screensaver britney.scr
    Best Matrix Screensaver new.scr
    Adobe Photoshop 10 full.exe
    Adobe Premiere 10.exe
    Teen Porn 15.jpg.pif
    Microsoft WinXP Crack full.exe
    Adobe Photoshop 10 crack.exe
    Windows XP crack.exe
    Windows 2003 crack.exe
    Arnold Schwarzenegger.jpg.exe
    Saddam Hussein.jpg.exe
    Cloning.doc.exe
    American Idol.doc.exe
    Eminem Poster.jpg.exe
    Altkins Diet.doc.exe
    Eminem blowjob.jpg.exe
    The Sims 4 beta.exe
    Lightwave 9 Update.exe
    Ulead Keygen 2004.exe
    Smashing the stack full.rtf.exe
    Internet Explorer 9 setup.exe
    Opera 11.exe
    DivX 8.0 final.exe
    WinAmp 13 full.exe
    Cracks & Warez Archiv.exe
    Visual Studio Net Crack all.exe
    ACDSee 10.exe
    MS Service Pack 6.exe
    Clone DVD 6.exe
    Magix Video Deluxe 5 beta.exe
    Star Office 9.exe
    Partitionsmagic 10 beta.exe
    Gimp 1.8 Full with Key.exe
    Norton Antivirus 2005 beta.exe
    Windows 2000 Sourcecode.doc.exe
    Keygen 4 all new.exe
    3D Studio Max 6 3dsmax.exe
    1001 Sex and more.rtf.exe
    RFC compilation.doc.exe
    Full album all.mp3.pif
    Dictionary English 2004 - France.doc.exe
    Win Longhorn re.exe
    WinXP eBook newest.doc.exe
    Learn Programming 2004.doc.exe
    How to hack new.doc.exe
    Doom 3 release 2.exe
    E-Book Archive2.rtf.exe
    netsky source code.scr
    Ahead Nero 8.exe
    Screensaver2.scr
    Serials edition.txt.exe
    Microsoft Office 2003 Crack best.exe
  • The worm signs delivered letters on behalf of various antiviruses:
    +++ Attachment: No Virus found
    +++ MessageLabs AntiVirus - www.messagelabs.com

    +++ Attachment: No Virus found
    +++ MC-Afee AntiVirus - www.mcafee.com

    +++ Attachment: No Virus found
    +++ Kaspersky AntiVirus - www.kaspersky.com

    +++ Attachment: No Virus found
    +++ Panda AntiVirus - www.pandasoftware.com

    ++++ Attachment: No Virus found
    ++++ Norman AntiVirus - www.norman.com

    ++++ Attachment: No Virus found
    ++++ F-Secure AntiVirus - www.f-secure.com

    ++++ Attachment: No Virus found
    ++++ Norton AntiVirus - www.symantec.de

  • Worm doesn't spread its copies if there are such combinations at the address:
    @microsof
    @antivi
    @symantec
    @spam
    @avp
    @f-secur
    @bitdefender
    @norman
    @mcafee
    @kaspersky
    f-pro
    @norton
    @fbi
    abuse@
    @messagel
    @skynet
    @pandasof
    @freeav
    @sophos
    ntivir
    @viruslis
    noreply@
    spam@
    reports@
  • Body of the worm contains the text lines, which demonstrate negative relation of authors of email worms family Netsky to authors of other email worms - Beagle:

    B+a+g+l+e,
    d+o +n+o+t+ d+e+l+e+t+e
    S+k+y+N+e+t.

  • Substitutes in the body of mail the reference to ostensibly full mail. The domainname is substituted from the second part of the email address of the addressee (@domainname), and a name of the addressee - from the first part (username). For example:
    ------------------------------
    From: lola@sexnet.com
    To:lola@sexnet.com
    Subject: Mail Delivery (failure lola@sexnet.com)

    If the message will not displayed automatically,
    follow the link to read the delivered message.

    Received message is available at:

    www.sexnet.com/inbox/lola/read.php?sessionid-17423

    ------------------------------

  • Besides its basic function (spreading via e-mail), worm possesses some destructive functions:

    Deletes registry keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupd.exe
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\direct.exe
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jijb
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sentry
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Video
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system.

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLE
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rate.exe
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssate.exe
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gouday.exe
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\direct.exe
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupd.exe
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srate.exe
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon.exe

    Also worm deletes registry keys:
    HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
    HKLM\System\CurrentControlSet\Services\WksPatch
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF

  • System Recovery References

    1. Load Windows in Safe Mode.
    2. Scan computer with Dr.Web® Scanner or freeware utility Dr.Web® CureIT!. It's necessary to apply action "Cure" to all infected files which were found.
    3. Recover system registry from backup copy.

    Important! Directly before doing of item 2, it's necessary to adjust the used email client so that it stored attachments as separate files, instead of in a body of email base. For example, storage of attachments separately from email base in email client TheBat! is adjusted as follows:
    Account - Properties - Files & Directories - Keep attachment files - Separately in a special directory.