Home / malware Email-Worm:W32/NetSky.P
First posted on 28 July 2010.
Source: SecurityHomeAliases :
There are no other names known for Email-Worm:W32/NetSky.P.
Explanation :
A worm that spreads via e-mail, usually in infected executable e-mail file attachments.
Additional DetailsEmail-Worm:W32/Netsky.P mass-mails itself to new victims using both e-mail and by copying itself across local networks (LAN) and Peer-to-Peer (P2P) networks, as well as FTP and HTTP folders.
The worm's file is spread as a dropper that is a Windows PE executable 29568 bytes long, packed with FSG file. When the dropper is run, it extracts the main worm's file that is 26624 bytes long and is packed with a modified UPX file compressor. That file is a DLL, so Netsky authors started to use a new approach to installing the worm to a system.
Netsky.P continues the ongoing feud with the Bagle worm's author.
Netsky.P was discovered on March 21st, 2004
Installation
Upon execution Netsky.P copies itself as FVPROTECT.EXE file to Windows folder and then extracts the main worm component as USERCONFIG9X.DLL to the same folder. The worm adds a startup key for one of the dropped files into System Registry:
€ [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norton Antivirus AV" = "%WinDir%\fvprotect.exe"
where %WinDir% represents Windows folder name.
Additionally the worm drops the following files into Windows folder:
€ zipped.tmp € base64.tmp € zip1.tmp € zip2.tmp € zip3.tmp
These files contain UUEncoded worm's executable file and ZIP archives (3 different variants). These 3 archives contain worm's executables with the following names:
€ document.txt .exe € data.rtf .scr € details.txt .pif
Activity
NetSky.P worm removes Registry keys of several Bagle worm variants if it finds them on an infected computer. At least the last 9 keys (listed below) belong to earlier Bagle variants.
This worm variant contains another insulting message for the author of Bagle worm.
Registry Changes
NetSky.P deletes the following Registry keys:
€ [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32] € [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF] € [HKLM\System\CurrentControlSet\Services\WksPatch] € [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
system.
Video € [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
system.
msgsvr32
winupd.exe
direct.exe
jijbl
Video
service
DELETE ME
Taskmon
Explorer € [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
OLE
Sentry
Taskmon
Windows Services Host
Explorer
gouday.exe
au.exe
direct.exe
d3dupdate.exe
rate.exe
sysmon.exe
srate.exe
ssate.exe
winupd.exe
Propagation (E-mail)
Before spreading in e-mail the worm collects e-mail addresses. It scans all files on all drives from C: to Z: except CD-ROM drives. If any file with the following extensions is found, the worm opens it and searches for e-mail addresses there:
€ .pl € .htm € .html € .eml € .txt € .php € .asp € .wab € .doc € .vbs € .rtf € .uin € .shtm € .cgi € .dhtm € .adb € .tbb € .dbx € .sht € .oft € .msg € .jsp € .wsh € .xml
The worm avoids sending e-mails to addresses that contain the following substrings:
€ @microsof € @antivi € @symantec € @spam € @avp € @f-secur € @bitdefender € @norman € @mcafee € @kaspersky € @f-pro € @norton € @fbi € abuse@ € @messagel € @skynet € @pandasof € @freeav € @sophos € ntivir € @viruslis € noreply@ € spam@ € reports@
The worm composes over 30 different types of e-mails. Subjects, body texts and attachment names are randomly selected from the variants that are hardcoded in the worm's body. These are the variants of the messages that the worm can send out:
Subject:
€ Re: Hi € Re: Hello
Body:
€ Please confirm! € Please answer quickly!
Attachment:
€ detail3. € document_all02c. € summary2004.
----------------- or -----------------
Subject:
€ Re: Request
Body:
Thank you for your request, your details are attached!
Thanks!
Attachment:
€ details05. € data02. € all_in_all.
----------------- or -----------------
Subject:
€ Shocking document € You cannot do that!
Body:
I am shocked about your document!
Let'us be short: you have no experience in writing letters!!!
Attachment:
€ document05. € your_document. € document_with_notice.
----------------- or -----------------
Subject:
€ hi € hello
Body:
Try this, or nothing!
Here is it!
Attachment:
€ document05. € game_xxo. € websites03.
----------------- or -----------------
Subject:
€ Fwd: Warning again € Notice again
Body:
Do not visit this illegal websites!
You have downloaded these illegal cracks?.
Attachment:
€ abuselist. € abuses. € websites01.
----------------- or -----------------
Subject:
€ Re: List € Re: Question
Body:
Here is my icq list.
Here is my phone number.
Attachment:
€ my_list01. € my_numbers. € archive.
----------------- or -----------------
Subject:
€ Spamed? € Spam
Body:
I have visited this website and I found you in the spammer list. Is that true?
Are you a spammer? (I found your email on a spammer website!?!)
Attachment:
€ websitelist01. € list_ed. € abuse_list.
----------------- or -----------------
Subject:
€ 0i09u5rug08r89589gjrg
Body:
po44u90ugjid-k9z5894z0
9u049u89gh89fsdpokofkdpbm3-4i
Attachment:
€ id04009. € id43342. € id09509.
----------------- or -----------------
Subject:
Body:
Attachment:
€ important. € details. € message.
----------------- or -----------------
Subject:
€ Re: A!p$ghsa € Important m$6h?3p
Body:
Please r564g!he4a56a3haafdogu#mfn3o
SMTP Error #201
See the ghg5%&6gfz65!4Hf55d!46gfgf
Server Error #203
Attachment:
€ important. € details03. € document07.
----------------- or -----------------
Subject:
€ Do you? € Does it matter?
Body:
Your photo, uahhh.... , you are naked!
You have written a very good text, excellent, good work!
Attachment:
€ text01. € details. € d4334938.
----------------- or -----------------
Subject:
€ News € Information
Body:
Your archive is attached.
Monthly news report.
Attachment:
€ news01. € info02. € report01.
----------------- or -----------------
Subject:
€ I love you! € I cannot forget you!
Body:
lovely, :-)
your big love, ;-)
Attachment:
€ letter43. € story. € photo.
----------------- or -----------------
Subject:
€ Re: Proof of concept € Re: Developement
Body:
I hope you accept the result!
The sample is attached!
Attachment:
€ document09. € part_01. € doc_word3.
----------------- or -----------------
Subject:
€ Re: Message € Re: Error in document
Body:
Your important document, correction is finished!
Important message, do not show this anyone!
Attachment:
€ attach. € document. € message.
----------------- or -----------------
€ Subject: € Re: Free porn € Re: Sex pictures
Body:
Here is the website. ;-)
My favourite page.
Attachment:
€ www.freeporn4all. € www.myx4free.
----------------- or -----------------
Subject:
€ Re: Submit a Virus Sample € Re: Virus Sample
Body:
The sample file you sent contains a new virus version of mydoom.j.
Please clean your system with the attached signature.
Sincerly,
Robert Ferrew
The sample file you sent contains a new virus version of buppa.k.
Please update your virus scanner with the attached dat file.
Best Regards,
Keria Reynolds
Attachment:
€ signature. € datfiles.
----------------- or -----------------
Subject:
€ Re: Old times € Re: Old photos
Body:
€ Greetings from france,
your friend.
Have a look at these.
Attachment:
€ old_photos. € letter.
----------------- or -----------------
Subject:
€ Postcard € Your day
Body:
€ Best wishes,
your friend.
Congratulations!,
your best friend.
Attachment:
€ postcard. € letter.
----------------- or -----------------
Subject:
€ Re: Sample € Re: Question
Body:
€ I have corrected your document. € I have attached the sample.
Attachment:
€ sample01. € doc01. € word_doc. € document04.
----------------- or -----------------
Subject:
€ Thank you! € Congratulations!
Body:
€ Your bill is attached to this mail.
You were registered to the pay system.
For more details see the attachment.
Attachment:
€ bill. € list. € confirm. € details.
----------------- or -----------------
Subject:
€ Illegal Website € Internet Provider Abuse
Body:
€ I noticed that you have visited illegal websites.
See the name in the list! € You have visited illegal websites.
I have a big list of the websites you surfed.
Attachment:
€ list. € abuselist. € judge. € readme. € details.
----------------- or -----------------
Subject:
€ Mail Account € Administrator
Body:
€ Your mail account is expired.
See the details to reactivate it. € Your mail account has been closed.
For further details see the document.
Attachment:
€ account. € readme. € details.
----------------- or -----------------
Subject:
€ Re: Hi € Re: Its me
Body:
€ The file is protected with the password ghj001. € I have attached your file. Your password is jkl44563.
Attachment:
€ document. € document43. € priv. € letter32. € data20. € mails9. € your_doc. € my_details.
----------------- or -----------------
Subject:
€ Private document € Stolen document
Body:
€ I found this document about you. € I cannot believe that.
Attachment:
€ document342. € your_document. € about_you.
----------------- or -----------------
Subject:
€ Hello € Hi
Body:
€ Try this game ;-) € I hope the patch works.
Attachment:
€ game. € patch3425. € application. € software.
----------------- or -----------------
Subject:
€ Mail Delivery (failure) € Error
Body:
€ Binary message is available. € Message has been sent as a binary attachment.
Attachment:
€ message. € msg. € data. € letter. € email.
----------------- or -----------------
Subject:
€ Re: Is that your document? € Is that your password?
Body:
€ Can you confirm it? € I have attached it to this mail.
Attachment:
€ document. € pwd02. € document01. € part6. € private_01.
----------------- or -----------------
Subject:
€ Re: Approved document € Re: Your document
Body:
€ Please read the attached file. € Your document is attached.
Attachment:
€ file. € your_document. € about_you. € document04. € msg. € all_doc01. € document. € approved. € improved. € corrected.
----------------- or -----------------
Subject:
€ Protected Mail System € Mail Authentication
Body:
€ Encrypted message is available. € Protected message is attached.
Attachment:
€ pgp_sess01. € encrypted_msg01. € document. € message. € msg.
----------------- or -----------------
Subject:
€ Re: Mail Authentification € Re: Delivery Protection € Re: Secure delivery € Re: Protected Mail Delivery € Re: Protected Mail System € Re: Protected Mail Request € Re: Secure SMTP Message € Re: Extended Mail System € Re: Error € Re: Message Error € Re: Administration € Re: Test € Re: Thank you for delivery € Re: Failure € Re: Bad Request € Re: Delivery Server € Re: Mail Server € Re: SMTP Server € Re: Notify € Re: Status € Re: Extended Mail € Re: Encrypted Mail
Body:
€ Please confirm my request. € ESMTP [Secure Mail System #334]: Secure message is attached. € Partial message is available. € Waiting for a Response. Please read the attachment. € First part of the secure mail is available. € For more details see the attachment. € For further details see the attachment. € Your requested mail has been attached. € Protected Mail System Test. € Secure Mail System Beta Test. € Forwarded message is available. € Delivered message is attached. € Encrypted message is available. € Please read the attachment to get the message. € Follow the instructions to read the message. € Please authenticate the secure message. € Protected message is attached. € Waiting for authentification. € Protected message is available. € Bad Gateway: The message has been attached. € SMTP: Please confirm the attached message. € You got a new message. € Now a new message is available. € New message is available. € You have received an extended message. Please read the instructions.
Attachment:
€ message. € msg. € details. € data. € document. € readme.
----------------- or -----------------
Subject:
€ here € hi € hello € thanks! € approved € corrected € patched € improved € important € read it immediately
Body:
€ Your details. € Your document. € I have received your document. The corrected document is attached. € I have attached your document. € Your document is attached to this mail. € Authentication required. € Requested file. € See the file. € Please read the important document. € Please confirm the document. € Your file is attached. € Please read the document. € Your document is attached. € Please read the attached file! € Please see the attached file for details.
Attachment:
€ your € my € approved € important
combined with the following:
€ document. € file. € details. € information. € letter. € product. € website. € application. € screensaver. € bill. € word document. € excel document. € data. € message. € text. € document_all.
The represents the extension that can be single or double. The first extension can be:
€ .txt € .doc
The second extension can be:
€ .pif € .exe € .scr
The infected attachment name can contain random numbers and can be sent in a ZIP archive.
The worm can add a fake scan report to the end of an infected message. The following variants of scan report are used:
€ +++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com € +++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com € +++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com € +++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com € +++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com € ++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com € ++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com € ++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de
The worm can send messages with an IFrame Exploit that allows the worm's attachment MESSAGE.SCR to be automatically run on certain versions of e-mail clients.
Propagation (LAN, P2P networks, FTP and HTTP folders)
The worm scans all drives from C: to Z: except CD-ROM drives. If it finds folders with any of the following names:
€ my shared folder € download € ftp € htdocs € http € upload € shar € icq € bear € lime € morpheus € donkey € mule € kazaa € shared files
Then copies itself there multiple times with the following names:
€ Kazaa Lite 4.0 new.exe € Britney Spears Sexy archive.doc.exe € Kazaa new.exe € Britney Spears porn.jpg.exe € Harry Potter all e.book.doc.exe € Britney sex xxx.jpg.exe € Harry Potter 1-6 book.txt.exe € Britney Spears blowjob.jpg.exe € Harry Potter e book.doc.exe € Britney Spears cumshot.jpg.exe € Harry Potter.doc.exe € Britney Spears fuck.jpg.exe € Harry Potter game.exe € Britney Spears.jpg.exe € Harry Potter 5.mpg.exe € Britney Spears and Eminem porn.jpg.exe € Matrix.mpg.exe € Britney Spears Song text archive.doc.exe € Britney Spears full album.mp3.exe € Eminem.mp3.exe € Britney Spears.mp3.exe € Eminem Song text archive.doc.exe € Eminem Sexy archive.doc.exe € Eminem full album.mp3.exe € Eminem Spears porn.jpg.exe € Ringtones.mp3.exe € Eminem sex xxx.jpg.exe € Ringtones.doc.exe € Eminem blowjob.jpg.exe € Altkins Diet.doc.exe € Eminem Poster.jpg.exe € American Idol.doc.exe € Cloning.doc.exe € Saddam Hussein.jpg.exe € Arnold Schwarzenegger.jpg.exe € Windows 2003 crack.exe € Windows XP crack.exe € Adobe Photoshop 10 crack.exe € Microsoft WinXP Crack full.exe € Teen Porn 15.jpg.pif € Adobe Premiere 10.exe € Adobe Photoshop 10 full.exe € Best Matrix Screensaver new.scr € Porno Screensaver britney.scr € Dark Angels new.pif € XXX hardcore pics.jpg.exe € Microsoft Office 2003 Crack best.exe € Serials edition.txt.exe € Screensaver2.scr € Full album all.mp3.pif € Ahead Nero 8.exe € netsky source code.scr € E-Book Archive2.rtf.exe € Doom 3 release 2.exe € How to hack new.doc.exe € Learn Programming 2004.doc.exe € WinXP eBook newest.doc.exe € Win Longhorn re.exe € Dictionary English 2004 - France.doc.exe € RFC compilation.doc.exe € 1001 Sex and more.rtf.exe € 3D Studio Max 6 3dsmax.exe € Keygen 4 all new.exe € Windows 2000 Sourcecode.doc.exe € Norton Antivirus 2005 beta.exe € Gimp 1.8 Full with Key.exe € Partitionsmagic 10 beta.exe € Star Office 9.exe € Magix Video Deluxe 5 beta.exe € Clone DVD 6.exe € MS Service Pack 6.exe € ACDSee 10.exe € Visual Studio Net Crack all.exe € Cracks & Warez Archiv.exe € WinAmp 13 full.exe € DivX 8.0 final.exe € Opera 11.exe € Internet Explorer 9 setup.exe € Smashing the stack full.rtf.exe € Ulead Keygen 2004.exe € Lightwave 9 Update.exe € The Sims 4 beta.exe
This feature allows the worm to spread to local network, to shared folders of P2P (peer-to-peer) clients and to ftp and http server folders (if such servers are present on an infected computer or on computers that have open shares with an infected one). Additionally it allows the worm to copy itself multiple times on a local hard disk.
Detection
Detection of Netsky.P worm was published on March 21st, 2004 in the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-03-21_01Last update 28 July 2010