WORM_NETSKY.AL

Malware type: Worm

Aliases: Email-Worm.Win32.NetSky.c (Kaspersky), W32/Netsky.gen@MM (McAfee), W32.Netsky.AN@mm (Symantec), Worm/Netsky.AL (Avira), W32/Netsky-C (Sophos), Worm:Win32/Netsky.C@mm (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000

Encrypted: No

Overall risk rating:

Description: 

This worm propagates via email. It sends out copies of itself as an attachment to email messages using its own SMTP engine. It gathers target email addresses by searching all of an affected system's fixed drives for files with certain extensions. It can connect and submit a query for yahoo.com to a local DNS server. Once it finds a match, this worm also uses the said domain as its SMTP server.

It also spreads by dropping copies of itself in folders inside the Windows folder whose names contain the string SHAR. It performs this routine under the assumption that such named folders are network shares, or are folders used by file sharing applications.

Like other WORM_NETSKY variants, it seeks to prove its superiority over other malware families by deleting several registry keys and entries associated with them:

For additional information about this threat, see:

Description created: Sep. 24, 2005 4:01:54 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 65,024 Bytes

Initial samples received on: Sep 24, 2005

Compression type: PE-Crypt

Payload 1: Prevents other malware from executing at startup

Details:

Installation and Autostart Technique

Upon execution, this worm drops a copy of itself in the Windows folder as MCAFFEAV.EXE. It then creates the following registry entry to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
McAfee = "%Windows%\McAffeAv.exe -AntViru"

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Propagation via Email

This worm propagates via email. It sends out copies of itself as an attachment to email messages using its own SMTP engine.

The email message it sends out contains the following details:

From: (Spoofed)

Subject: (any of the following)
• ? hi read it immediatelly
• believe me
• Delivery Failed
• goodmorning
• hello
• Here is it
• hey trust me
• illegal...
• I'm back!
• important
• info
• its me
• last chance!
• lol
• moin
• notice!
• notification denied!
• private?
• Question
• question
• Re: {5664ddff?$??�2}
• Re: excuse me
• Re: hello
• Re: hey exception
• Re: hi
• Re: important
• Re: information
• Re: Re: Re: Re: re: take it error
• Re: unknown dear
• report
• something for you
• Status
• stolen
• warning fake?
• what's up?
• Yep Re: does it
• you?

Message Body (any of the following)
• {...}
• {09580985869gj}
• {Antispam complete}
• {Attached Msg}
• {Attachment from Poland}
• {Attachment Signature 34933920}
• {Automailer}
• {bad gateway}
• {Click the attachment to decrypt}
• {Deliver Error}
• {Failed message available}
• {Mail failed}
• {Message Error}
• {null}
• {scanned by norton antivirus}
• {Server Error}
• {Transfer complete}
• {Warning from the Government}
• *lol*
• ;-)
• � {{}}
• a crazy doc about you
• abuse?
• account?
• already?
• another pic, have fun! ... :-)
• Antispam is turned off. See file!
• are you a photographer?
• are you a teacherin the picture?
• are you cranky?
• are you the naked one?
• are you the naked person!
• are you the one?
• attachi#
• Authentification required. Read the att...
• be mad?
• best?
• bob the builder
• child or adult?
• child porn?
• classroom test of you?
• copyright?
• correct it!
• did you ask me for that?
• did you know from this document?
• did you know that?
• did you see her already?
• did you sent it to me?
• do not give up!
• do not open the attachment!
• do not show this anyone!
• do not use my document!
• do not visit the pages on the list I se...
• do you have an orgasm in the picture?
• do you have sex in the picture?
• do you have the bug also?
• do you have?
• do you know the thief?
• do you know this????
• do you think so?
• doc about me?
• doc?
• docs?
• does it belong to you?
• does it match?
• does it matter?
• drugs? ...
• excellent!
• explain!
• fast food...
• feel free to use it.
• File is bad.
• File is damaged.
• File is self-decryting.
• forgotten?
• from the chatter (my photo!)
• from your lover ;-)
• gonna?
• good work!
• great job!
• great xxx!
• great!
• greetings
• help attached
• her.
• here is it.
• here is my advice.
• here is my photo!
• here is the $%%454$
• here is the {censored}
• here is the document.
• here is the next one!
• here is yours!
• here, the cheats
• here, the introduction
• here, the serials
• how?
• i am desperate
• i am speachless about your document!
• I don't know your document!
• i don't think so.
• i don't want your xxx pics!
• i found that about you!
• i found this document about you.
• i have received this.
• I have your password!
• i hope thats not true!
• i know your document!
• i like your doc!
• i lost that
• i need you!
• i saw you last week!
• I 've found your bill!
• I wait for an answer!
• i wait for your comment about it.
• i want more...
• illegal st. of you?
• important?
• in your mind?
• incest?
• information about you?
• Instant patches.
• instruct me about this!
• is that criminal?
• is that possible?
• is that the reality?
• is that true?
• is that your account?
• is that your attachment?
• is that your beast?
• is that your car?
• is that your cd?
• is that your creditcard?
• is that your domain?
• is that your family?
• is that your finger?
• is that your message?
• is that your name?
• is that your photo?
• is that your porn pic?
• is that your privacy?
• is that your slip?
• is that your TAN?
• is that your Web site?
• is that your wife?
• is that your work?
• is that yours?
• is the pic a fake?
• is this information about you?
• it's a secret!
• its private from me
• it's so similar as yours!
• i've found it about you
• kill him on the picture!
• kill the writer of this document!
• let it!
• lets talk about it!
• Login required! Read the attachment!
• love letter?
• man or women?
• meaning of that?
• message?
• Microsoft
• misc. and so on. see you!
• modifications?
• money?
• msg
• my advice....
• never!
• new patch is available!
• ok...
• old photos about you?
• only encrypted!
• pages?
• personal message!
• picture?
• poor quality!
• possible?
• pretty pic about you?
• pwd?
• read it immediately!
• read the details.
• really?
• reply
• schoolfriend?
• see this!
• see your name!
• solve the problem!
• something about you!
• something is going ...
• something is going wrong!
• something is not ok
• stuff about you?
• such as yours?
• take it easy!
• tell me more about your document!
• test it
• that is interesting...
• that's a funny text.
• that's not the truth?
• thats wrong!
• the information is wrong!
• the truth?
• this file is bad!
• this is an attachment message!
• this is nothing for kids!
• time to fear?
• Transaction failed. Show the doc!
• trial?
• try this patch!
• what do you think about it?
• what means that?
• what still?
• what?
• who?
• why should I?
• why?
• wrong calculation! (see the attachment!...
• xxx ?
• xxx about you?
• xxx service
• yes.
• you are a bad writer
• you are bad
• You are infected. Read the details!
• you are naked in this document!
• you are sexy in this doc!
• you cannot hide yourself! (see photo)
• you earn money, see the attachment!
• you feel the same.
• you have a sexy body in the pic!
• you have done a mistake in the document...
• you have tried to steal!
• you look like an ape!
• you look like an rat?
• you won the rk!
• your account is expired!
• your are naked?
• your attachment? verify it.
• Your bill.
• your body?
• your design is not good!
• your document is not good
• your document is silly!
• your eyes?
• your face?
• your hero in the picture?
• your icq number?
• your job? (I found that!)
• your lie is going around the world!
• your name is wrong!
• your personal record?
• your photo is poor
• Your provider will be disabled!
• your TAN number?
• yours?

(Note: This malware may also generate garbage messages.)

Attachment: (any of the following)
• 454543403
• aboutyou
• associal
• attach2
• attachment
• auction
• bill
• birth
• card
• class_photos
• concert
• creditcard
• death
• description
• details
• dinner
• disco
• doc
• doc_ang
• document
• final
• found
• freaky
• friend
• id
• image
• important
• incest
• information
• injection
• intimate stuff
• jokes
• letter
• location
• mail2
• mails
• masturbation
• material
• me
• message
• misc
• moonlight
• more
• msg
• msg2
• music
• myaunt
• mydate
• naked1
• naked2
• news
• nomoney
• note
• nothing
• number_phone
• object
• old_photos
• part2
• party
• paypal
• pic
• portmoney
• poster
• posting
• privacy
• product
• ps
• ranking
• regards
• regid
• release
• response
• schock
• secrets
• sexual
• sexy
• shower
• story
• stuff
• swimmingpool
• talk
• tear
• textfile
• topseller
• transfer
• trash
• undefinied
• unfolds
• update
• violence
• visa
• warez
• webcam
• website
• wife
• word_doc
• worker
• your_stuff
• yours

(with any of the following extensions)
• exe
• com
• pif
• scr

(The attachment may also have double extension names. Any of the following extension names may be followed by any of the abovementioned names:)
• DOC
• HTM
• RTF
• TXT

(Note: In random cases, this worm generates email attachments with blank spaces after the first extension name in order to hide the second one.)

It gathers target email addresses by searching all of an affected system's fixed drives for files with any of the following file name extensions:

  • ADB
  • ASP
  • CGI
  • DBX
  • DHTM
  • DOC
  • EML
  • HTM
  • HTML
  • MSG
  • OFT
  • PHP
  • PL
  • RTF
  • SHT
  • SHTM
  • TBB
  • TXT
  • UIN
  • VBS
  • WAB

(Note: It is observed that NETSKY worm variants, when harvesting email addresses, convert all uppercase letters to lowercase. For example, if it finds the email address, John.Doe@Somewhere.com, it converts the address string to john.doe@somewhere.com.)

It avoids sending email messages to addresses that contain any of the following text strings, in order to avoid detection by related antivirus and security applications:

  • abuse
  • antivi
  • aspersky
  • avp
  • cafee
  • f-pro
  • f-secur
  • fbi
  • icrosoft
  • itdefender
  • orman
  • orton
  • spam
  • ymantec

It connects and submits a query for yahoo.com to a local DNS server. Once it finds a match, it also uses the domain as its SMTP server. If the DNS server does not contain a match for yahoo.com, this worm queries the external DNS server of any of the following IP addresses:

  • 145.253.2.171
  • 151.189.13.35
  • 193.141.40.42
  • 193.189.244.205
  • 193.193.144.12
  • 193.193.158.10
  • 194.25.2.129
  • 194.25.2.130
  • 194.25.2.131
  • 194.25.2.132
  • 194.25.2.133
  • 194.25.2.134
  • 195.185.185.195
  • 195.20.224.234
  • 212.185.252.136
  • 212.185.252.73
  • 212.185.253.70
  • 212.44.160.8
  • 212.7.128.162
  • 212.7.128.165
  • 213.191.74.19
  • 217.5.97.137
  • 62.155.255.16

Propagation via Shared Folders

This worm also spreads by dropping copies of itself in folders inside the Windows folder whose names contain the string SHAR. Its dropped copies use any of the following file names:

  • 1000 Sex and more.rtf.exe
  • 3D Studio Max 3dsmax.exe
  • ACDSee 9.exe
  • Adobe Photoshop 9 full.exe
  • Adobe Premiere 9.exe
  • Ahead Nero 7.exe
  • Best Matrix Screensaver.scr
  • Clone DVD 5.exe
  • Cracks & Warez Archive.exe
  • Dark Angels.pif
  • Dictionary English - France.doc.exe
  • DivX 7.0 final.exe
  • Doom 3 Beta.exe
  • E-Book Archive.rtf.exe
  • Full album.mp3.pif
  • Gimp 1.5 Full with Key.exe
  • How to hack.doc.exe
  • IE58.1 full setup.exe
  • Keygen 4 all appz.exe
  • Learn Programming.doc.exe
  • Lightwave SE Update.exe
  • Magix Video Deluxe 4.exe
  • Microsoft Office 2003 Crack.exe
  • Microsoft WinXP Crack.exe
  • MS Service Pack 5.exe
  • Norton Antivirus 2004.exe
  • Opera.exe
  • Partitionsmagic 9.0.exe
  • Porno Screensaver.scr
  • RFC Basics Full Edition.doc.exe
  • Screensaver.scr 26KB
  • Serials.txt.exe 26KB
  • Smashing the stack.rtf.exe
  • Star Office 8.exe
  • Teen Porn 16.jpg.pif
  • The Sims 3 crack.exe
  • Ulead Keygen.exe
  • Virii Sourcecode.scr
  • Visual Studio Net Crack.exe
  • Win Longhorn Beta.exe
  • WinAmp 12 full.exe
  • Windows Sourcecode.doc.exe
  • WinXP eBook.doc.exe
  • XXX hardcore pic.jpg.exe

Deletion of Registry Keys and Entries

Like other WORM_NETSKY variants, this worm deletes the following registry entries and key that are associated with other malware:

Variants of WORM_MYDOOM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Taskmon

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Taskmon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Explorer

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Explorer

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

(Note: The last item should be restored because it is a legitimate registry key in Windows, which WORM_MYDOOM variants utilize for their malicious routines.)

WORM_MIMAIL.T

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
KasperskyAv

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
KasperskyAv

WORM_NETSKY.A and WORM_NETSKY.B

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Service

It also deletes the following registry entries to prevent other malware from executing at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer
PINF

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
au.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
d3dupdate.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
OLE

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Windows Services Host

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
DELETE ME

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
msgsvr32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Sentry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
system

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Windows Services Host

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices
system

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WksPatch

Other Details

This worm's code contains the following text strings:

{-{- we are the skynet - you can't hide yourself!
- we kill malware writers (they have no chance!)
- [LaMeRz--}]MyDoom.F is a thief of our idea!
- - { SkyNet AV vs. Malware }- -}-}

It runs on Windows 98, ME, NT, and 2000.

Analysis By: Jonathan N. San Jose

Revision History:

First pattern file version: 2.856.17
First pattern file release date: Sep 24, 2005

SOLUTION


Minimum scan engine version needed: 7.000

Pattern file needed: 2.912.01

Pattern release date: Oct 26, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Terminating the Malware Program

This procedure terminates the running malware process.

If the process you are looking for is not in the list displayed by Task Manager, proceed to the succeeding solution set.

  1. Open Windows Task Manager.
    • On Windows 98 and ME, press
    CTRL%20ALT%20DELETE
    • On Windows NT and 2000, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    MCAFFEAV.EXE
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On systems running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions. If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    McAfee = "%Windows%\McAffeAv.exe -AntViru"

  4. (Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)

Restoring Deleted Registry Entry

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_CLASSES_ROOT>CLSID>{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
  2. Right-click on the subkey, select New, click Key, and then type:
    InProcServer32
  3. In the right panel, right-click on Default, then choose Modify.
  4. Under Value Data, type the following:
    %Root%\System32\webcheck.dll
    (Note: %Root% is the system root, which is usually C:.)
  5. Close Registry Editor.

Important Windows ME Cleaning Instructions

Users running Windows ME must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

If you are currently running on safe mode, please restart your system normally before performing the following solution.

Scan your system with Trend Micro antivirus and delete files detected as WORM_NETSKY.AL. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.