How to Spot the Netsky E-Mail Virus
March 3, 2004 -- February (sorry, March) went out like a lion with back-to-back viruses.
The latest, w32/Netsky.C-mm, also known as i-worm.moodoom.c , has an increased vocabulary of subject, message and attachment names over of the earlier Netsky.B.
Like its predecessor, Netsky.C is a mass mailing worm/virus that uses its own SMTP (e-mail) engine to propagate. It harvests e-mail addresses from local and mapped network drives, and like the earlier version attempts to terminate and remove MyDoom.A, MyDoom.B and Mimail.T files and processes.
Netsky.D, arriving on March 1, shares similar characteristics, though a shorter list of subjects, messages, and file names, and is removed the same way. We'll discuss Netsky.C here mostly, and point out differences as needed.
Exploiting Human Weaknesses
Both Netsky.C and Netsky.D only infects directly through executable attachments. Netsky.C also spreads through files on peer-to-peer file sharing services, or any service that uses a folder with "Shar" in the name. Netsky does not use vulnerabilities in browsers or e-mail clients to spread, only human vulnerabilities. You can minimize your risk by not opening attachments, and not using file-sharing services. If you're on a network, mapped drives should be set to "read only" to avoid having copies of Netsky.C dropped from an infected client on the network.
Other than mass mailing, and dropping files on local and shared drives, Netsky — unlike MyDoom.F — is relatively harmless. We say relatively, since it does tamper with your registry, and can cause performance problems both locally and on a network.
In addition to sending out copies of itself via email, NetSky.C searches local and mapped network drives for folders with "Shar" in the name. Finding these folders, typically associated with file-sharing programs like Gnutella and Kazaa, NetskyC drops copies of itself with names that act as bait to file sharing users.
What to Look For
One characteristic of Netsky.C is that it has expanded its pool of attachment, subject and message possibilities over earlier viruses. The newer Netsky.D has a much shorter list of possibilities, and may combine the same words with "RE:" for subjects, such as "RE: Hello." The attachments may have "your, my or all" pre-pended file names, such as "your_document.pif".
E-mails come with spoofed "from" addresses, harvested from files on the infected machines, and are often from someone you know. The virus itself comes in an attachment, typically a .ZIP file, though it may also just be an executable version of the file itself. The attachment usually has a double extension, with executable files having ".txt," ".rtf," ".doc," or ".htm" as the first, and ".exe," ".pif," ".com," or ".scr" as the second extension. TrendMicro reports that the attachments may have one of two icons.
According to Symantec, the executable file name can randomly be taken from the following long list of words. We found it can also be a combination of these names, such as the one we received with the executable file name "unfolds_injection.rtf.pif", packed inside a zip file of the same name.
Two thirds of the time, the virus uses either a blank line, or one of the following in the subject line:
The message body can be blank or have one of the following strings. The subject line can also have one of these messages as well.
If you use file-sharing services, you should avoid downloading any of the following file names, as Netsky.C puts copies of itselfin shared drives with these names:
Sneaky Startups
Unlike Netsky.B, when W32/Netsky.C runs, it does not display an error message, making the infection process more invisible. However, according to McAfee and TrendMicro, when the virus was executed between 6 a.m. and 9 a.m. on Feb. 26, it made sounds. McAfee has a sample here: http://vil.nai.com/images/101048.wav. The noise makes your computer sound like its straight out of a 1960's science fiction movie.
When it runs, Netsky.C it checks to see if a copy of the virus is already running by looking for a mutex called "[SkyNet.cz]SystemsMutex.". if it doesn't find it, Netsky.C will execute and load its own mutex to prevent additional copies from running. Once running, it makes a copy of itself in the Windows boot folder (C:\windows or C:\winnt depending on version), with the file name Winlogon.exe. It then adds the registry key and value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "ICQ Net" = "%Windir%\winlogon.exe -stealth"
This guarantees that the virus will start when Windows starts. Netsky.C then checks the registry and deletes the following values that are part of a Netsky.A, Netsky.B, MyDoom.A, MyDoom.B or Mimail.T infection:
Taskmon Explorer Windows Services Host KasperskyAV System. msgsvr32 DELETE ME service Sentry d3dupdate.exe au.exe OLE
From either or both registry keys associated with Windows startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Netsky.C also deletes the value System. from the service registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionRunServices
As well as removing the following registry keys:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionExplorer\PINF |HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch
Seeking Suckers
Netsky.C harvests email addresses from files with with ".adb," ".asp," ".cgi," ".dbx," ".dhtm," ".doc," ".eml," ".htm," ".html," ".msg," ".oft," ".php," ".pl," ".rtf," ".sht," ".shtm," ".tbb," ".txt," ".uin," ".vbs," and ".wab" extensions on the infected machine. As a self preservation attempt, Netsky.C avoids sending messages to addresses that contain the strings: "abuse," "fbi," "Orton," "f-pro," "aspersky," "cafee," "orman," "itdefender," "f-secur," "avp," "spam," "ymantec," "antivi," or "icrosoft."
To propagate, Netsky.C will use an API call to find a DNS server to do a lookup on harvested e-mail addresses. If it fails to find a local DNS, it has a list of two dozen hard-coded addresses it uses instead. E-mail messages are created with spoofed names, and the subject, message and attachment's described above and sent to the harvested addresses.
Fact File
Virus name: W32/Netsky.C-mm, W32.Netsky.c@mm, I-worm.Moodown.c, moodown.c, W32/Netsky@mmType of virus: Windows 32 executableExecutable size: 25,353 bytes (Petite packed), 28,160 bytes (Aspack packed), 24,064 bytes (UPX packed) (may have appended garbage)Date Discovered: February 25th, 2004Systems affected: Windows 9x/me/NT/2000/XP Systems not affected: DOS, Windows 3.x, Linux, Mac, OS/2, UnixSubject: variesFrom address: Spoofed from harvested addressesMessage parameters: (listed above) Attachment: varies. Executable with double extensions, or Zip file.