English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsEmail-Worm.Win32.NetSky.n

Email-Worm.Win32.NetSky.n

Detected Mar 23 2004 18:56 GMT
Released Mar 23 2004 18:56 GMT

This is a description which has been automatically generated following analysis of this program on a test machine. This description may contain incomplete or inaccurate information.

Summary


Technical details

File size of 17424 bytes.


Installation

Makes copies of itself with the following names once launched:

  • Windows directory (usually, C:\Windows)%Windir%\winlogon.exe

Ensures Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of the following installed files:

by adding values to autorun keys in the system registry:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "ICQ Net" = " Windows directory (usually, C:\Windows)%Windir%\winlogon.exe -stealth"


Malicious activity

Checks for Internet access on the infected machine

Connects to to the following Internet addresses:

  • ***.149.139.109:6400
  • ***.6.31.85:6400
  • ***.129.105.32:6400
  • ***.18.7.10:6400
  • ***.253.142.26:6400
  • ***.171.7.216:6400
  • ***.158.137.83:6400
  • ***.125.79.27:6400
  • ***.254.13.7:6400
  • ***.7.68.36:6400
  • ***.103.147.198:6400
  • ***.162.54.65:6400
  • ***.47.247.197:6400
  • ***.10.223.184:6400
  • ***.214.10.136:6400
  • ***.188.246.5:6400
  • ***.127.72.74:6400
  • ***.5.209.6:6400

Creates unique identifiers to flag its presence in the system

  • [SkyNet.cz]SystemsMutex

Uses the masks shown below to search for files on the victim machine:

  • *.*


Other activities

Deletes the following system registry keys:

[ HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 ]

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF ]

[ System registry hive HKEY_LOCAL_MACHINEHKLM\System\CurrentControlSet\Services\WksPatch ]

Deletes the following parameters of the system registry keys:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "Taskmon" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "Taskmon" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "Explorer" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "Explorer" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "KasperskyAv" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "KasperskyAv" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "system." = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "msgsvr32" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "DELETE ME" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "d3dupdate.exe" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "au.exe" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "service" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "OLE" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "Sentry" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Run ] "Windows Services Host" = ""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "Windows Services Host" = ""

Description:
­Used to automatically run files when the Windows OS boots­



Print
Bookmark and Share
Share
Viruses and worms
Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

Email-Worms use a range of methods to send infected emails. The most common are:

  • using a direct connection to a SMTP server using the email directory built into the worm’s code
  • using MS Outlook services
  • using Windows MAPI functions.

Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

  • the address book in MS Outlook
  • a WAB address database
  • .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
  • emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.


Other versions
Email-Worm.Win32.NetSky.aa
Email-Worm.Win32.NetSky.ac
Email-Worm.Win32.NetSky.b
Email-Worm.Win32.NetSky.c
Email-Worm.Win32.NetSky.d
Email-Worm.Win32.NetSky.e
Email-Worm.Win32.NetSky.m
Email-Worm.Win32.NetSky.o
Email-Worm.Win32.NetSky.q
Email-Worm.Win32.NetSky.r
Email-Worm.Win32.NetSky.t
Email-Worm.Win32.NetSky.x
Email-Worm.Win32.NetSky.y

Aliases

Email-Worm.Win32.NetSky.n (Kaspersky Lab) is also known as:

  • I-Worm.NetSky.n (Kaspersky Lab)
  • Virus: W32/Netsky.d@MM (McAfee)
  • W32/Netsky-D (Sophos)
  • Worm.SomeFool.Gen-1 (ClamAV)
  • W32/Netsky.D.worm (Panda)
  • W32/Netsky.d@MM (FPROT)
  • Worm:Win32/Netsky.D@mm (MS(OneCare))
  • Win32.HLLM.Netsky.based (DrWeb)
  • Win32/Netsky.D1 worm (Nod32)
  • Generic.Malware.SM!H@mm.9D085E7A (BitDef7)
  • I-Worm.Netsky.D1 (VirusBuster)
  • Win32:Netsky-D1 [Wrm] (AVAST)
  • Email-Worm.Win32.NetSky.AB (Ikarus)
  • I-Worm/Netsky.D (AVG)
  • WORM/Netsky.D.3 (AVIRA)
  • W32.Netsky.D@mm (NAV)
  • Netsky.D@mm (Norman)
  • W32/Netsky.d@MM (NAI)
  • WORM_NETSKY.GEN (PCCIL)
  • Worm.NetSky.ah (Rising)
  • WORM_NETSKY.GEN (TrendMicro)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search