Email-Worm.Win32.NetSky.r

Technical Details

This worm spreads via the Internet as an attachment to infected messages.

The worm itself is a Windows PE EXE file of approximately 26KB, packed using Petite, and written in Microsoft Visual C++.

Infected messages:

Message header (chosen at random from the list below):

Deliver Mail 
Delivered Message 
Delivery 
Delivery Bot 
Delivery Error 
Delivery Failed 
Delivery Failure 
Error 
Failed 
Failure 
Mail Delivery failure 
Mail Delivery System 
Mail System 
Server Error 
Status 
Unknown Exception

The recipient's address is also shown.

Message body (chosen and compiled from the list below):

Delivery Agent - Translation failed 
Delivery Failure - Invalid mail specification 
Mail Delivery - This mail couldn't be displayed 
Mail Delivery Error - This mail contains unicode characters 
Mail Delivery Failed - This mail couldn't be represented 
Mail Delivery Failure - This mail couldn't be shown. 
Mail Delivery System - This mail contains binary characters 
Mail Transaction Failed - This mail couldn't be converted

Note: Received message has been sent as a binary file. 
Modified message has been sent as a binary attachment. 
Received message has been sent as an encoded attachment. 
Translated message has been attached. 
Message has been sent as a binary attachment. 
Received message has been attached. 
Partial message is available and has been sent as a binary attachment. 
The message has been sent as a binary attachment.

The text below may also be used as the message body:

Or you can view the message at: www.[recipient domain]/inmail/
[recipient name]/mread.php?sessionid-[random value]

An example of how this text might appear in the message:

Or you can view the message at: www.[kaspersky.com]/inmail/[test]/mread.php?sessionid-[4321]

Attachment name (chosen at random from the list below):

 data 
mail 
msg 
message

A random number and extension will be added to the attachment names listed above.

The worm will be activated if the user launches the infected file by clicking twice on the attachment. The worm may also send messages which exploit a vulnerability where a MIME header is incorrectly processed. This vulnerability is described in Microsoft Security Bulletin MS01-020

The worm then installs itself on the systesm and starts propagating.

Installation

When installing, the worm copies itself under the name SysMonXP.exe to the Windows directory, and registers this file in the system registry. This ensures that the file will launch each time the system is started.

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   [SysMonXP=%windir%\SysMonXP.exe]

It extracts a file named firewalllogger.txt from itself, and installs this to the Windows directory. When launching, the worm may open WordPad, and load a file to WordPad under the name tmp.eml.

It creates the mutex ""_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_" to flag its presence in the system. This prevents more than one copy of the worm from being launched.

The worm may also install additional copies of itself to the system under the following names:

base64.tmp 
zippedbase64.tmp 
zipo0.txt 
zipo1.txt 
zipo2.txt 
zipo3.txt

Mass mailing

The worm searches for files with the extensions listed below:

a
ad
adb
as
asp
c
cf
cfg
cg
cgi
d
db
dbx
dh
dht
dhtm
do
doc
e
em
eml

h
ht,
htm
htmlj
js
jsp
m
mb
mbx
md
mdx
mh
mht
mm
mmf
ms
msg
n
nc
nch
o

od
ods
of
oftp
ph
php
pl
pp
ppt
r
rt
rtf
s
sh
sht
shtm
st
stm
t
tb
tbb

tx
txt
u
ui
uin
v
vb
vbs
w
wa
wab
ws
wsh
x
xl
xls
xm
xml

and harvests email addresses to send messages to. The worm uses its own SMTP library to send messages.

Other

The worm deletes the following keys from the Windows system registry:

Explorer 
 system. 
 msgsvr32 
 au.exe 
 winupd.exe 
 direct.exe 
 jijbl 
 Video 
 service 
 DELETE ME 
 d3dupdate.exe 
 OLE 
 Sentry 
 gouday.exe 
 rate.exe 
 Taskmon 
 Windows Services Host 
 sysmon.exe 
 srate.exe 
 ssate.exe 
 Microsoft IE Execute shell 
 Winsock2 driver 
 ICM version 
 yeahdude.exe 
 Microsoft System Checkup

If the local system is showing a certain date, the worm will conduct DDoS attacks on the following sites:

www.edonkey2000.com 
 www.kazaa.com 
 www.emule-project.net 
 www.cracks.am 
 www.cracks.st