Win32.Netsky.D Worm
Alias: I-Worm.NetSky.d (Kaspersky),
W32/Netsky.d@MM (McAfee),
WORM_NETSKY.D (Trend)
Published Date: 1/03/2004
Last Modified: 1/03/2004
Analysis by Sha-Li Hsieh and Vitaly Neyman
CHARACTERISTICS
Win32.Netsky.D is a worm that spreads through e-mail system. The worm is distributed as a 17,424-bytes PEtite compressed Win32 executable.
Method of Installation
When run, it creates a mutex called "[SkyNet.cz]SystemsMutex", in order to avoid running multiple copies of itself.
It copies itself to:
%Windows%\WINLOGON.EXE
It adds a value to the registry to ensure this copy is run each time Windows starts:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ICQ Net = "%Windows%\winlogon.exe -stealth"
Note: '%Windows%' is a variable location.
The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Method of Distribution
Via E-mail
Netsky.D searches through files with the following extensions, looking for e-mail addresses to send itself to:
eml
txt
php
pl
htm
html
vbs
rtf
uin
asp
wab
doc
adb
tbb
dbx
sht
oft
msg
shtm
cgi
dhtm
It avoids using addresses that contains the following strings:
icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
The worm searches drives c: to z:, but avoids searching CDROM drives.
Netsky.D sends itself through e-mail using its own SMTP engine.
It spoofs the 'From' address of the message by inserting one of the e-mail addresses that it harvested from the affected machine.
The message subject is chosen at random from this list:
Re: Document
Re: Re: Document
Re: Re: Thanks!
Re: Thanks!
Re: Your document
Re: Here is the document
Re: Your picture
Re: Re: Message
Re: Hi
Re: Hello
Re: Re: Re: Your document
Re: Here
Re: Your music
Re: Your software
Re: Approved
Re: Details
Re: Excel file
Re: Word file
Re: My details
Re: Your details
Re: Your bill
Re: Your text
Re: Your archive
Re: Your letter
Re: Your product
Re: Your website
Possible message body:
Your document is attached.
Here is the file.
See the attached file for details.
Please have a look at the attached file...
Please read the attached file.
Your file is attached.
Possible attachment names:
your_document.pif
your_document.pif
document.pif
message_part2.pif
your_document.pif
document_full.pif
your_picture.pif
message_details.pif
your_file.pif
your_picture.pif
document_4351.pif
yours.pif
mp3music.pif
application.pif
all_document.pif
my_details.pif
document_excel.pif
document_word.pif
my_details.pif
your_details.pif
your_bill.pif
your_text.pif
your_archive.pif
your_letter.pif
your_product.pif
your_website.pif
The worm creates 8 threads to run it's emailing routine, presumably to increase its speed of spreading.
The worm attempts to use the local system's DNS server to resolve the mail server address of each targeted email account. If it cannot use this DNS server, it will go through a list of 25 IP addresses stored inside its own code.
Payload
Removes Registry Values
The worm removes these registry values, some of which are associated with other worms:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sentry
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system.
It also deletes these registry keys, and any values contained within them:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HLKM\System\CurrentControlSet\Services\WksPatch
Causes Noise
If the system date is March 2nd, 2004, and the hour of the day is 6, 7 or 8, the worm continuously generates short, sharp, randomly pitched beeping sounds through the speaker, waiting 0.05 second in between.
|
COMMENT
Computer WORMS complicate the security situation.
Unlike viruses they may enter your computer while you are hooked up to the Internet without any connection to e-mail messages or e-mail use. Residing on your computer, if not detected by an excellent and up-to-date antivirus program, they will then become activated by any of a great number of triggers. Perhaps when you next turn on your machine or reboot it. Perhaps according to a particular date. Perhaps when you start MSIE (Microsoft Internet Explorer), or some other program. They may then make your machine make noises, attach themselves to files on your computer already, attach to and assume the name of attachments you are receiving by e-mail, or occupy your computer resources and slow your machine while filling your memory or storage.
"E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source.
This will usually occur if someone you know has been infected with a virus and they have your address in their address book.
This type of spam is often used in an attempt to get recipients to open, and possibly infect their system.
The best course of action would be to delete these e-mails and never open any e-mails that you are unsure about.
To ensure that your computer is virus free you should make sure that you have the latest signature files available for EZ Antivirus and then run a full virus scan, if the results show zero infections then there is nothing to worry about."
|
|
CAUTION
Worms which use e-mail address lists.
Increasingly dominant throughout 2003, and continuing, is the use of real e-mail addresses deceptively programmed into the "FROM" sections of e-mails. This has been a frequent practice of spammers who hope to remain free of prosecution and persecution as well as responsibility for the waste of resources they cause.
Most obvious from the fall of 2003, I have found "REPLY" e-mails being sent to my "health@earthtym.net" address, primarily from e-mail postmaster programs. These have protected the intended recipients from usual worm or virus attachments by returning it to the INSERTED "From" address, which is mine! This e-mail address was only set up when I changed my website host to Freeservers.com and indicated the "health@" e-mail as the administrative contact to the "protected" Internet URL registration site of "WHOIS.com" This address has NEVER been used to SEND e-mails. It's presence on the Internet in this capacity indicates a fraudulent ghosting of it.
The FACT that my administrative address is being used this way signals that ANY valid e-mail address can be likewise "kidnapped" and used by anonymous cowards to provoke others in YOUR name. It is tragic that the only SAFE way to share an attachment with friends, associates or customers is to either send an ALERT e-mail first to indicate that you will be sending an attachment and what its idiosyncratic filename is (nothing common or predictable), or, to post it on your personal or business website, perhaps temporarily, and send the webpage address in your e-mail.
There is NO BENEFIT in constantly changing your e-mail address as any new address you pick may be discovered within weeks and simply encourage you to spend many hours, and irritate all of your recipients, with the notifications of yet another change. Ironically, communicating in the digital age is becoming MORE dificult than previous methods, not easier nor cheaper. Because of abusive over-competitive mass marketing application --- snail (junk) mail, (telemarketing) telephone, (computer-dialing) voicemail, (batch) fax, and (spam) e-mail have all now become largely redundant as communication tools.
|
|
COMMENT
Worms, which spoof, are spiritually destructive.
By the deception of others, your ignorance and your fear --- they prompt you to distrust and hold responsible friends, relatives and associates for a disaster of which they are innocent in involvement beyond their historical caring and support for you.
It is ALWAYS more intelligent and more spiritually strong to determine WHAT the meaning of an error is, HOW to correct it, and WHERE it originated -- BEFORE assessing responsibility, and penalty. Otherwise, the penalty enacted in haste may turn out to be a further disaster of our pride, fear and ignorance and hurt us more than we ever wished on others.
|
|
Articles on the Internet are transitory.
The publishers may remove them, change sites, change URLs, or change titles. For the purpose of maintaining an availability of this article for you, it has been reprinted here with authorship maintained and coding simplified for error-free loading and minimal file size.
|
|
