English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Follow us on

Home→Descriptions→Email-Worm.Win32.NetSky.x

Email-Worm.Win32.NetSky.x

Detected	Apr 17 2004 15:40 GMT
Released	Apr 17 2004 15:40 GMT
Published	Jun 16 2005 11:10 GMT

Technical Details

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

The worm is activated when the user launches the attached file by clicking on the attachment. The worm will then install itself and start propagating.

The worm itself is a PE EXE file, written in Microsoft Visual C++ and packed using UPX. The packed file is approximately 24KB in size and the unpacked file is approximately 138KB in size.

Installation

The worm copies itself to the Windows root directory under the name "VisualGuard.exe":

%Windir%\VisualGuard.exe

and registers this file in the Windows system registry

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"NetDy" = "%Windir%\VisualGuard.exe"

This ensures that the worm will be run each time Windows is rebooted.

The worm also creates the following files in the Windows root directory:

%Windir%\base64.tmp 
%Windir%\zip1.tmp
%Windir%\zip2.tmp
%Windir%\zip3.tmp
%Windir%\zip4.tmp
%Windir%\zip5.tmp
%Windir%\zip6.tmp
%Windir%\zipped.tmp

The worm creates the unique identifier "NetDy_Mutex_Psycho" to flag its presence in the system.

Propagation via email

The worm harvests addresses by scanning files with the following extensions:

.adb
.asp
.dbx
.cgi
.dhtm
.doc
.eml
.htm
.html
.jsp
.msg
.oft
.php
.pl
.rtf
.sht
.shtm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xml

It uses its own SMTP library to send messages to harvested addresses.

Infected messages

Infected messages have an attachment:

Message subject (chosen at random from the list below):

Re:
approved
my
your
application
bill
corrected
data
details
document
document_all
excel document
file
hello
here
hi
important
improved 
information
letter
message
patched
product
read it immediately
screensaver
text
thanks!
website
word document

Message body (chosen at random from the list below):

Authentication required.
I have attached your document.
I have received your document. The corrected document is attached.
Please confirm the document.
Please read the attached file.
Please see the attached file for details.
Please read the document.
Please read the important document.
Requested file.
See the file.
Your details.
Your document is attached to this mail.
Your document is attached.
Your document.
Your file is attached.

Message signature:

No virus found
Powered by the new Norton OnlineScan
Get protected: www.symantec.com

Attachment name (chosen at random from the list below):

application
approved
bill
data
details
document
document_all
excel document
file
important
improved 
information
letter
message
product
screensaver
text
website
word document

The attachment may have one of the following extensions:

exe
pif
scr
zip

Other

The worm will delete the following registry values (if found)

Explorer
msgsvr32
Sentry
service
system
Taskmon
DELETE ME

from

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

It also deletes the following values:

Taskmon
Explorer
d3dupdate.exe
au.exe
gouday.exe
rate.exe
sysmon.exe
srate.exe
ssate.exe
OLE
PINF

from

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Netsky.x also deletes the following registry keys:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"System" 
[HKLM\System\CurrentControlSet\Services]
"WksPatch"

These registry keys and values relate to other email worms (some versions of Email-Worm.Win32.Bagle and Email-Worm.Win32. Mydoom).

Email-Worm.Win32.NetSky.x contains the following text strings:

<*>NetDy: Thanks to the SkyNet alias NetSky crew for the sourcecode.
<*>NetDy: We have rewritten NetSky.
<*>NetDy: Thats a good tactic to detroy the bagle and mydoom worms.
<*>NetDy: Our group will continue the war.
<*>NetDy: Malware writers 'End' comes true.
<*>NetDy: Our Social Engineering is the best *lol* (You have no virus symantec says!).
<*>NetDy: ----------------------------------------------------------------------------
<*>NetDy: We are greeting all russia people!
USA SUCKS!!! AFGHAN SUCKS 2!!! BURN, SADDAM! BURN IN HELL! AND YOU,
OSAMA BIN LADEN,
BURN IN THE DEVILS FIRE 2!!!
SHAME ON YOU MR. BUSH!!!

Print

Share

Malicious programs

Viruses and worms

Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

Email-Worms use a range of methods to send infected emails. The most common are:

using a direct connection to a SMTP server using the email directory built into the worm’s code
using MS Outlook services
using Windows MAPI functions.

Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

the address book in MS Outlook
a WAB address database
.txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.

Other versions

Email-Worm.Win32.NetSky.aa

Email-Worm.Win32.NetSky.ac

Email-Worm.Win32.NetSky.b

Email-Worm.Win32.NetSky.c

Email-Worm.Win32.NetSky.d

Email-Worm.Win32.NetSky.e

Email-Worm.Win32.NetSky.m

Email-Worm.Win32.NetSky.o

Email-Worm.Win32.NetSky.q

Email-Worm.Win32.NetSky.r

Email-Worm.Win32.NetSky.t