Email-Worm.Win32.NetSky.o

Technical Details

This worm spreads via the Internet as an attachment to infected messages.

The worm itself is a Windows PE EXE file, written in Microsoft Visual C++. It is approximately 16KB in size and packed using UPX. The unpacked file is approximately 140KB in size.

When launched, the worm recursively scans all disks, starting with C: for files with the following extensions:

.pl
.htm
.html
.eml
.txt
.php
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.sht
.oft
.msg
.jsp
.wsh
.xml

It sends copies of itself to email addresses harvested from these files.

The worm creates the following files:

<%Windir%>\zip1.tmp <%Windir%>\zip2.tmp <%Windir%>\zip3.tmp <%Windir%>\zip4.tmp <%Windir%>\zip5.tmp <%Windir%>\zip6.tmp, which contains a MIME encoded copy of the worm <%Windir%>\zipped.tmp - a copy of the worm in a ZIP archive

It deletes the following system registry keys:

[HKLM(HKCU)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
system.
msgsvr32
au.exe
service
DELETE ME
d3dupdate.exe
OLE
Sentry
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe

Installation

When launching, the worm copies itself to the Windows directory as Avprotect9x.exe. It then registers the full path to this file in the system registry.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        NetDy = <%windir%>\VisualGuard.exe

Infected messages

Message header (compiled using one or more lines from the list below):

Re:
Re: Re:

your
my

approved
important
here
hi
hello
thanks!
approved
corrected
patched
improved
important
read it immediately

Attachment name (chosen at random from the list below):

document
file
details
information
letter
product
website
application
screensaver
bill
word document
excel document
data
message
text
document_all

Message body (chosen at random from the list below):

Your details.
Your document.
I have received your document. The corrected document is attached.
I have attached your document.
Your document is attached to this mail.
Authentication required.
Requested file.
See the file.
Please read the important document.
Please confirm the document.
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file.
Please see the attached file for details.

The worm contains the following text strings:

<*>NetDy: Thanks to the S*k*y*N*e*t alias *N*e*t*S*k*y* crew for the sourcecode.
<*>NetDy: We have rewritten *N*e*t*S*k*y.
<*>NetDy: Thats a good tactic to detroy the bagle and mydoom worms.
<*>NetDy: Our group will continue the war.
<*>NetDy: Malware writers ',27h,'End',27h,' comes true.
<*>NetDy: Our Social Engineering is the best *lol* (You have no virus symantec says!).
<*>NetDy: ----------------------------------------------------------------------------
<*>NetDy: We are greeting all russia people!
USA SUCKS!!! AFGHAN SUCKS 2!!! BURN, SADDAM! BURN IN HELL! AND YOU, OSAMA BIN LADEN,
BURN IN THE DEVILS FIRE 2!!! SHAME ON YOU MR. BUSH!!!

Signs of infection

The worm opens a group of several ports. The port numbers are increased incrementally across the whole group every few seconds. This behaviour makes it possible to detect the worm using Kaspersky Anti-Hacker.