Email-Worm.Win32.NetSky.q

Технические детали
Деструктивная активность
Рекомендации по удалению

Технические детали

Червь, распространяющийся через Интернет в виде вложений в зараженные электронные письма. Программа является приложением Windows (PE EXE-файл). Имеет размер 29568 байт. Упакована при помощи FSG. Распакованный размер – около 77 КБ. Написана на C++.

Инсталляция

Червь копирует свое тело по следующему пути:

%WinDir%\FVProtect.exe

Извлекает из своего тела в каталог Windows библиотеку с именем:

%WinDir%\userconfig9x.dll

Данный файл имеет размер 26624 байта и детектируется Антивирусом Касперского как Email-Worm.Win32.NetSky.q

Также червь создает следующие файлы в корневом каталоге Windows, которые содержат версию червя в MIME-кодировке:

%WinDir%\zip1.tmp
%WinDir%\zip2.tmp
%WinDir%\zip3.tmp
%WinDir%\base64.tmp

Кроме того, создает версию червя в ZIP-архиве:

%WinDir%\zipped.tmp

Для автоматического запуска при следующем старте системы червь добавляет запись в ключ автозапуска системного реестра:

Деструктивная активность

После запуска червь создает уникальные идентификаторы присутствия в системе с именем:

'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

Удаляет ключи системного реестра:

• Для ветки системного реестра:

  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

  Удаляет ключи:

  Explorer
  system.
  msgsvr32
  winupd.exe
  direct.exe
  jijbl
  Video
  service
  DELETE ME
  Sentry
  Taskmon
  Windows Services Host
  

• Для ветки системного реестра:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

  Удаляет ключи:

  Explorer
  au.exe
  direct.exe
  d3dupdate.exe
  OLE
  gouday.exe
  rate.exe
  Taskmon
  Windows Services Host
  sysmon.exe
  srate.exe
  ssate.exe
  winupd.exe
  

• Для ветки системного реестра:

  [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]

  Удаляет ключи:

  Video
  system.
  

  Червь рекурсивно сканирует все диски начиная с диска C:, на предмет наличия файлов со следующими расширениями, в которых и осуществляет поиск email адресов:

  .xml
  .wsh
  .jsp
  .msg
  .oft
  .sht
  .dbx
  .tbb
  .adb
  .dhtm
  .cgi
  .shtm
  .uin
  .rtf
  .vbs
  .doc
  .wab
  .asp
  .php
  .txt
  .eml
  .html
  .htm
  .pl
  

  При отправке писем игнорируются адреса содержащие следующие строки:

  reports@
  spam@
  noreply@
  @viruslis
  ntivir
  @sophos
  @freeav
  @pandasof
  @skynet
  @messagel
  abuse@
  @fbi
  @norton
  @f-pro
  @kaspersky
  @mcafee
  @norman
  @bitdefender
  @f-secur
  @avp
  @spam
  @symantec
  @antivi
  @microsof
  

Характеристики зараженных писем:

• Адрес отправителя: Выбирается произвольно из числа найденных на зараженной машине.
• Тема письма: Выбирается из списка:

  Re: Hello
  Re: Request
  Re: Order
  Shocking document
  You cannot do that!
  Notice again
  Fwd: Warning again
  Re: List
  Spam
  Spamed?
  0i09u5rug08r89589gjrg
  ▀do0▀i4grjj40j09gjijgp№dщ
  Important m$6h?3p
  Re: A!p$ghsa
  Does it matter?
  Do you?
  Information
  News
  I cannot forget you!
  I love you!
  Re: Developement
  Re: Proof of concept
  Re: Error in document
  Re: Message
  Re: Sex pictures
  Re: Free porn
  Re: Virus Sample
  Re: Submit a Virus Sample
  Re: Old photos
  Re: Old times
  Your day
  Postcard
  Re: Question
  Re: Sample
  Congratulations!
  Thank you!
  Internet Provider Abuse
  Illegal Website
  Administrator
  Mail Account
  Re: Its me
  Re: Hi
  Stolen document
  Private document
  Hi
  Hello
  Error
  Mail Delivery (failure)
  Is that your password?
  Re: Is that your document?
  Re: Your document
  Re: Approved document
  Mail Authentication
  Protected Mail System
  Re: Encrypted Mail
  Re: Extended Mail
  Re: Status
  Re: Notify
  Re: SMTP Server
  Re: Mail Server
  Re: Delivery Server
  Re: Bad Request
  Re: Failure
  Re: Thank you for delivery
  Re: Test
  Re: Administration
  Re: Message Error
  Re: Error
  Re: Extended Mail System
  Re: Secure SMTP Message
  Re: Protected Mail Request
  Re: Protected Mail System
  Re: Protected Mail Delivery
  Re: Secure delivery
  Re: Delivery Protection
  Re: Mail Authentification
  document_all
  text
  message
  data
  excel document
  word document
  bill
  screensaver
  application
  website
  product
  letter
  information
  details
  file
  document
  important 
  approved 
  my 
  your
  read it immediately
  important
  improved
  patched
  corrected
  approved
  thanks!
  hello
  hi
  here
  

• Текст письма: Выбирается из списка:

  Please answer quickly!
  Please confirm!
  Thanks!
  Thank you for your request, your details are attached!
  Let'us be short: you have no experience in writing letters!!!
  I am shocked about your document!
  Here is it!
  Try this, or nothing!
  You have downloaded these illegal cracks?.
  Do not visit this illegal websites!
  Here is my phone number.
  Here is my icq list.
  Are you a spammer? (I found your email on a spammer website!?!)
  I have visited this website and 
  I found you in the spammer list. Is that true?
  9u049u89gh89fsdpokofkdpbm3▀4i
  po44u90ugjid▀k9z5894z0
  See the ghg5%&6gfz65!4Hf55d!46gfgf 
  Please r564g!he4a56a3haafdogu#mfn3o 
  You have written a very good text, excellent, good work!
  Your photo, uahhh.... , you are naked!
  Monthly news report.
  Your archive is attached.
  your big love, ;-)
  lovely, :-)
  The sample is attached!
  I hope you accept the result!
  Important message, do not show this anyone!
  Your important document, correction is finished!
  My favourite page.
  Here is the website. ;-)
  The sample file you sent contains a new virus version of buppa.k. 
  Please update your virus scanner with the attached dat file. 
  Best Regards, Keria Reynolds
  The sample file you sent contains a new virus version of mydoom.j. 
  Please clean your system with the attached signature. 
  Sincerly, Robert Ferrew
  Have a look at these.
  Greetings from france, your friend.
  Congratulations!, your best friend.
  Best wishes, your friend.
  I have attached the sample.
  I have corrected your document.
  For more details see the attachment.
  Your bill is attached to this mail.
  I noticed that you have visited illegal websites.
  See the name in the list!
  You have visited illegal websites.
  I have a big list of the websites you surfed.
  Your mail account is expired.See the details to reactivate it.
  Your mail account has been closed.For further details see the document.
  The file is protected with the password ghj001.
  I have attached your file. Your password is jkl44563.
  I cannot believe that.
  I found this document about you.
  I hope the patch works.
  Try this game ;-)
  Message has been sent as a binary attachment.
  Binary message is available.
  I have attached it to this mail.
  Can you confirm it?
  Please read the attached file.
  Protected message is attached.
  Encrypted message is available.
  Please confirm my request.
  ESMTP [Secure Mail System #334]:  Secure message is attached.
  Partial message is available.
  Waiting for a Response. Please read the attachment.
  First part of the secure mail is available.
  For more details see the attachment.
  For further details see the attachment.
  Your requested mail has been attached.
  Protected Mail System Test.
  Secure Mail System Beta Test.
  Forwarded message is available.
  Delivered message is attached.
  Encrypted message is available.
  Please read the attachment to get the message.
  Follow the instructions to read the message.
  Please authenticate the secure message.
  Protected message is attached.
  Waiting for authentification.
  Protected message is available.
  Bad Gateway: The message has been attached.
  SMTP: Please confirm the attached message.
  You got a new message.
  Now a new message is available.
  New message is available.
  You have received an extended message. Please read the instructions.
  Your details.
  Your document.
  I have received your document.
  The corrected document is attached.
  I have attached your document.
  Your document is attached to this mail.
  Authentication required.
  Requested file.
  See the file.
  Please read the important document.
  Please confirm the document.
  Your file is attached.
  Please read the document.
  Your document is attached.
  Please read the attached file!
  Please see the attached file for details.
  
  +++ Attachment: No Virus found
  +++ MessageLabs AntiVirus - www.messagelabs.com
  
  +++ Attachment: No Virus found
  +++ Bitdefender AntiVirus - www.bitdefender.com
  
  +++ Attachment: No Virus found
  +++ MC-Afee AntiVirus - www.mcafee.com
  
  +++ Attachment: No Virus found
  +++ Kaspersky AntiVirus - www.kaspersky.com
  
  +++ Attachment: No Virus found
  +++ Panda AntiVirus - www.pandasoftware.com
  
  ++++ Attachment: No Virus found
  ++++ Norman AntiVirus - www.norman.com
  
  ++++ Attachment: No Virus found
  ++++ F-Secure AntiVirus - www.f-secure.com
  
  ++++ Attachment: No Virus found
  ++++ Norton AntiVirus - www.symantec.de
  

• Имя файла-вложения: Выбирается из списка:

  summary2004
  document_all02c
  detail3
  all_in_all
  data02
  details05
  document_with_notice
  websites03
  game_xxo
  document05
  websites01
  abuses
  archive
  my_numbers
  my_list01
  abuse_list
  list_ed
  websitelist01
  id09509
  id43342
  id04009
  document07
  details03
  d4334938
  text01
  report01
  info02
  news01
  photo
  story
  letter43
  doc_word3
  part_01
  document09
  attach
  www.myx4free
  www.freeporn4all
  datfiles
  signature
  old_photos
  postcard
  word_doc
  doc01
  sample01
  confirm
  judge
  abuselist
  list
  account
  my_details
  your_doc
  mails9
  data20
  letter32
  priv
  document43
  document342
  software
  patch3425
  game
  email
  private_01
  part6
  document01
  pwd02
  all_doc01
  document04
  about_you
  your_document
  encrypted_msg01
  pgp_sess01
  readme
  msg
  document_all
  text
  message
  data
  excel document
  word document
  bill
  screensaver
  application
  website
  product
  letter
  information
  details
  file
  document
  important 
  approved 
  my 
  your
  

  Вложения могут иметь одно из следующих расширений:

  .exe
  .pif
  .scr
  .zip
  

  Распространение через файлообменные сети

  Червь создает свои копии во всех подкаталогах, содержащих в своем названии слова:

  shared files
  kazaa
  mule
  donkey
  morpheus
  lime
  bear
  icq
  upload
  http
  htdocs
  ftp
  my shared folder
  

  имена файлов соответствуют следующему списку:

  1001 Sex and more.rtf.exe
  3D Studio Max 6 3dsmax.exe
  ACDSee 10.exe
  Adobe Photoshop 10 crack.exe
  Adobe Photoshop 10 full.exe
  Adobe Premiere 10.exe
  Ahead Nero 8.exe
  Altkins Diet.doc.exe
  American Idol.doc.exe
  Arnold Schwarzenegger.jpg.exe
  Best Matrix Screensaver new.scr
  Britney sex xxx.jpg.exe
  Britney Spears and Eminem porn.jpg.exe
  Britney Spears blowjob.jpg.exe
  Britney Spears cumshot.jpg.exe
  Britney Spears fuck.jpg.exe
  Britney Spears full album.mp3.exe
  Britney Spears porn.jpg.exe
  Britney Spears Sexy archive.doc.exe
  Britney Spears Song text archive.doc.exe
  Britney Spears.jpg.exe
  Britney Spears.mp3.exe
  Clone DVD 6.exe
  Cloning.doc.exe
  Cracks & Warez Archiv.exe
  Dark Angels new.pif
  Dictionary English 2004 - France.doc.exe
  DivX 8.0 final.exe
  Doom 3 release 2.exe
  E-Book Archive2.rtf.exe
  Eminem blowjob.jpg.exe
  Eminem full album.mp3.exe
  Eminem Poster.jpg.exe
  Eminem sex xxx.jpg.exe
  Eminem Sexy archive.doc.exe
  Eminem Song text archive.doc.exe
  Eminem Spears porn.jpg.exe
  Eminem.mp3.exe
  Full album all.mp3.pif
  Gimp 1.8 Full with Key.exe
  Harry Potter 1-6 book.txt.exe
  Harry Potter 5.mpg.exe
  Harry Potter all e.book.doc.exe
  Harry Potter e book.doc.exe
  Harry Potter game.exe
  Harry Potter.doc.exe
  How to hack new.doc.exe
  Internet Explorer 9 setup.exe
  Kazaa Lite 4.0 new.exe
  Kazaa new.exe
  Keygen 4 all new.exe
  Learn Programming 2004.doc.exe
  Lightwave 9 Update.exe
  Magix Video Deluxe 5 beta.exe
  Matrix.mpg.exe
  Microsoft Office 2003 Crack best.exe
  Microsoft WinXP Crack full.exe
  MS Service Pack 6.exe
  netsky source code.scr
  Norton Antivirus 2005 beta.exe
  Opera 11.exe
  Partitionsmagic 10 beta.exe
  Porno Screensaver britney.scr
  RFC compilation.doc.exe
  Ringtones.doc.exe
  Ringtones.mp3.exe
  Saddam Hussein.jpg.exe
  Screensaver2.scr
  Serials edition.txt.exe
  Smashing the stack full.rtf.exe
  Star Office 9.exe
  Teen Porn 15.jpg.pif
  The Sims 4 beta.exe
  Ulead Keygen 2004.exe
  Visual Studio Net Crack all.exe
  Win Longhorn re.exe
  WinAmp 13 full.exe
  Windows 2000 Sourcecode.doc.exe
  Windows 2003 crack.exe
  Windows XP crack.exe
  WinXP eBook newest.doc.exe
  XXX hardcore pics.jpg.exe
  

Рекомендации по удалению

Если ваш компьютер не был защищен антивирусом и оказался заражен данной вредоносной программой, то для её удаления необходимо выполнить следующие действия:

1. При помощи Диспетчера задач завершить троянский процесс.
2. Удалить оригинальный файл троянца (его расположение на зараженном компьютере зависит от способа, которым программа попала на компьютер).
3. Удалить файлы:

   %WinDir%\FVProtect.exe
   %WinDir%\userconfig9x.dll
   %WinDir%\zip1.tmp
   %WinDir%\zip2.tmp
   %WinDir%\zip3.tmp
   %WinDir%\base64.tmp
   %WinDir%\zipped.tmp

4. Удалить ключи системного реестра как работать с реестром?:

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   
   "Norton Antivirus AV" = "%WinDir%\FVProtect.exe"
   

5. Произвести полную проверку компьютера Антивирусом Касперского с обновленными антивирусными базами (скачать пробную версию).