| Malware name | Worm.NetSky.C | | Type | Worm | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 0E17DBEC1904B7C10614BFB29EF758FD | | Static file | yes | | Filesize | 25,353 Bytes | Alias names
(also known as) | | Sophos | W32/Netsky-C | | McAfee | W32/Netsky.c@MM | | CA ETrust | Win32/Netsky.C |
| | Protection | | Webwasher Anti Malware | 6024.19.x |
| | Side effects | - Lowers security settings
- Registry modification
| | Propagation | |
|
Description:
Files
It copies itself to the following location:
• %WINDIR%\winlogon.exe
Registry
The following registry key is added in order to run the process after reboot:
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• "ICQ Net"="%WINDIR%\winlogon.exe -stealth"
The values of the following registry keys are removed:
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• DELETE ME
• Explorer
• KasperskyAv
• msgsvr32
• Sentry
• service
• System
• TaskMon
• Windows Services Host
– HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• au.exe
• d3dupdate.exe
• Explorer
• KasperskyAv
• OLE
• TaskMon
• Windows Services Host
Email
It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
From: The sender address is spoofed.
To: – Email addresses found in specific files on the system.
– Gathered addresses from the internet.
Subject: One of the following:
• "notification"; "denied!"; "Question"; "believe me"; "Re: hello"; "Re:
important"; "Re: hi"; "excuse me"; "Re: hey"; "exception"; "something
for you"; "you?"; "Re: Re: Re: Re:"; "re:"; "take it"; "error";
"illegal..."; "good morning"; "private?"; "stolen"; "Here is it"; "Re:
information"; "info"; "what's up?"; "moin"; "warning"; "fake?"; "Re:
unknown"; "dear"; "hello"; "important"; "Yep"; "Re: does it?"; "read
it immediatelly"; "Re: excuse me"; "hey"; "trust me"; "question";
"report"; "Status"; "Delivery Failed"; "< Attachment from Poland
>"; "ok..."; "help attached"; "what means that?"; "< Server Error
>"; "< Message Error >"; "< Deliver Error >"; "notice!";
"its me"; "I'm back!"; "last chance!"; "lol"; "Re: < 5664ddff?$??
>"
Body: The body of the email is one of the lines:
• "Instant patches."
• "Your provider will be disabled!"
• "tell me more about your document!"
• "explain!"
• "do not visit the pages on the list I sent!"
• "do not open the attachment!"
• "do not use this creditcard!"
• "do not use my document!"
• "solve the problem!"
• "Authentification required. Read the attachment!"
• "Antispam is turned off. See file!"
• "is the pic a fake?"
• "your document is silly!"
• "Login required! Read the attachment!"
• "feel free to use it."
• "here is the
"
• "here is my photo!"
• "here is my advice."
• "You are infected. Read the details!"
• "see your name!"
• "I 've found your bill!"
• "Transaction failed. Show the doc!"
• "< Attachment Signature 34933920 >"
• "< Click the attachment to decrypt >"
• "do you have an orgasm in the picture?"
• "try this patch!"
• "Your bill."
• "fast food..."
• "Microsoft"
• "in your mind?"
• "this is an attachment message!"
• "new patch is available!"
• "do not show this anyone!"
• "its private from me"
• "you have done a mistake in the document!"
• "are you a photographer?"
• "do you know the thief?"
• "lets talk about it!"
• "< Antispam complete >"
• "< Transfer complete >"
• "your lie is going around the world!"
• "you have a sexy body in the pic!"
• "do you have sex in the picture?"
• "does it belong to you?"
• "are you the one?"
• "are you the naked person!"
• "are you the naked one?"
• "is that your domain?"
• "is that your slip?"
• "is that your beast?"
• "is that your family?"
• "is that your work?"
• "is that your porn pic?"
• "your are naked?"
• "is that your finger?"
• "is that your cd?"
• "is that your message?"
• "is that your TAN?"
• "is that your privacy?"
• "is this information about you?"
• "money?"
• "did you know that?"
• "bob the builder"
• "are you cranky?"
• "be mad?"
• "you look like an rat?"
• "you look like an ape!"
• "let it!"
• "incest?"
• "you are sexy in this doc!"
• "here is the $%%454$"
• "great job!"
• "do not give up!"
• "is that your car?"
• "it's so similar as yours!"
• "this is nothing for kids!"
• "it's a secret!"
• "see this!"
• "correct it!"
• "i need you!"
• ";-)"
• "what?"
• "trial?"
• "doc?"
• "< Automailer >"
• "< Failed message available >"
• "i don't want your xxx pics!"
• "xxx about you?"
• "a crazy doc about you"
• "here is yours!"
• "child or adult?"
• "man or women?"
• "great xxx!"
• "< scanned by norton antivirus >"
• "<Attached Msg >"
• "< < < Failure > > >"
• "i've found it about you"
• "my advice...."
• "personal message!"
• "only encrypted!"
• "< bad gateway >"
• "how?"
• "who?"
• "what still?"
• "copyright?"
• "you cannot hide yourself! (see photo)"
• "your account is expired!"
• "xxx service"
• "i saw you last week!"
• "File is bad."
• "File is damaged."
• "File is self-decryting."
• "your face?"
• "your eyes?"
• "your body?"
• "the truth?"
• "best?"
• "i have received this."
• "does it matter?"
• "drugs? ..."
• "forgotten?"
• "already?"
• "do you have the bug also?"
• "do you think so?"
• "is that your photo?"
• "is that your creditcard?"
• "is that your wife?"
• "did you see her already?"
• "attachi
• "here is the next one!"
• "i want more..."
• "<?}"
• "<09580985869gj>"
• "<Warning from the Government>"
• "schoolfriend?"
• "docs?"
• "pretty pic about you?"
• "i don't think so."
• "great!"
• "excellent!"
• "good work!"
• "poor quality!"
• "never!"
• "wrong calculation! (see the attachment!)"
• "did you know from this document?"
• "something is not ok"
• "something is going ..."
• "is that possible?"
• "your job? (I found that!)"
• "you are bad"
• "did you ask me for that?"
• "you have tried to steal!"
• "possible?"
• "meaning of that?"
• "you feel the same."
• "is that your website?"
• "is that your attachment?"
• "you earn money, see the attachment!"
• "your attachment? verify it."
• "misc. and so on. see you!"
• "yes."
• "your personal record?"
• "modifications?"
• "i am desperate"
• "your icq number?"
• "thats wrong!"
• "you are naked in this document!"
• "why?"
• "take it easy!"
• "your TAN number?"
• "important?"
• "your design is not good!"
• "msg"
• "reply"
• "is that the reality?"
• "i am speachless about your document!"
• "i lost that"
• "instruct me about this!"
• "do you have?"
• "that's not the truth?"
• "that's a funny text."
• "what do you think about it?"
• "i like your doc!"
• "here, the cheats"
• "is that criminal?"
• "here, the introduction"
• "are you a teacherin the picture?"
• "here, the serials"
• "love letter?"
• "from your lover ;-)"
• "from the chatter (my photo!)"
• "kill him on the picture!"
• "doc about me?"
• "the information is wrong!"
• "information about you?"
• "your photo is poor"
• "something is going wrong!"
• "your document is not good"
• "stuff about you?"
• "xxx ?"
• "greetings"
• "child porn?"
• "test it"
• "another pic, have fun! ... :->"
• "her."
• "pages?"
• "why should I?"
• "this file is bad!"
• "did you sent it to me?"
• "i know your document!"
• "do you know this????"
• "really?"
• "time to fear?"
• "i found this document about you."
• "does it match?"
• "your name is wrong!"
• "i hope thats not true!"
• "old photos about you?"
• "kill the writer of this document!"
• "classroom test of you?"
• "something about you!"
• "you won the rk!"
• "I have your password!"
• "< Mail failed >"
• "I don't know your document!"
• "you are a bad writer"
• "is that yours?"
• "abuse?"
• "I wait for an answer!"
• "pwd?"
• "is that your account?"
• "message?"
• "picture?"
• "is that your name?"
• "account?"
• "is that true?"
• "illegal st. of you?"
• "here is it."
• "yours?"
• "your hero in the picture?"
• "i found that about you!"
• "read it immediately!"
• "*lol*"
• "here is the document."
• "gonna?"
• "read the details."
• "such as yours?"
• "i wait for your comment about it."
• "that is interesting..."
Attachment:
The filenames of the attachments is constructed out of the following:
• aboutyou
• associal
• attach2
• attachment
• auction
• bill
• birth
• card
• class_photos
• concert
• creditcard
• death
• description
• details
• dinner
• disco
• doc
• doc_ang
• final
• found
• freaky
• friend
• image
• incest
• information
• injection
• intimate stuff
• jokes
• letter
• location
• mail2
• mails
• masturbation
• material
• message
• misc
• moonlight
• more
• msg2
• music
• myaunt
• mydate
• naked1
• naked2
• news
• nomoney
• note
• nothing
• number_phone
• object
• old_photos
• part2
• party
• paypal
• pic
• portmoney
• poster
• posting
• privacy
• product
• ranking
• regards
• regid
• release
• response
• schock
• secrets
• sexual
• sexy
• shower
• story
• stuff
• swimmingpool
• talk
• tear
• textfile
• topseller
• transfer
• trash
• undefinied
• unfolds
• update
• violence
• visa
• warez
• webcam
• website
• wife
• word_doc
• worker
• your_stuff
• yours
The file extension is one of the following:
• .pif
• .com
• .scr
• .exe
• .zip
The attachment is a copy of the malware itself.
Mailing
Search addresses:
It searches the following files for email addresses:
• .adb; .asp; .cgi; .dbx; .dhtm; .doc; .eml; .htm; .html; .msg; .oft;
.php; .pl; .rtf; .sht; .shtm; .tbb; .txt; .uin; .vbs; .wab
Avoid addresses:
It does not send emails to addresses containing one of the following strings:
• abuse; antivi; aspersky; avp; cafee; fbi; f-pro; f-secur; icrosoft;
itdefender; orman; orton; spam; ymantec
Resolving server names:
If the request using the standard DNS fails it continues with the following
It has the ability to contact the following DNS servers:
• 212.44.160.8; 195.185.185.195; 151.189.13.35; 213.191.74.19;
193.189.244.205; 145.253.2.171; 193.141.40.42; 194.25.2.134;
194.25.2.133; 194.25.2.132; 194.25.2.131; 193.193.158.10;
212.7.128.165; 212.7.128.162; 193.193.144.12; 217.5.97.137;
195.20.224.234; 194.25.2.130; 194.25.2.129; 212.185.252.136;
212.185.253.70; 212.185.252.73; 62.155.255.16
P2P
In order to infect other systems in the Peer to Peer network community the following action is performed:
– It searches for directories that contain the following substring:
• shar
If successful, the following files are created:
• 1000 Sex and more.rtf.exe; 3D Studio Max 3dsmax.exe; ACDSee 9.exe;
Adobe Photoshop 9 full.exe; Adobe Premiere 9.exe; Ahead Nero 7.exe;
Best Matrix Screensaver.scr; Clone DVD 5.exe; Cracks & Warez
Archive.exe; Dark Angels.pif; Dictionary English - France.doc.exe;
DivX 7.0 final.exe; Doom 3 Beta.exe; E-Book Archive.rtf.exe; Full
album.mp3.pif; Gimp 1.5 Full with Key.exe; How to hack.doc.exe; IE58.1
full setup.exe; Keygen 4 all appz.exe; Learn Programming.doc.exe;
Lightwave SE Update.exe; Magix Video Deluxe 4.exe; Microsoft Office
2003 Crack.exe; Microsoft WinXP Crack.exe; MS Service Pack 5.exe;
Norton Antivirus 2004.exe; Opera.exe; Partitionsmagic 9.0.exe; Porno
Screensaver.scr; RFC Basics Full Edition.doc.exe; Screensaver.scr;
Serials.txt.exe; Smashing the stack.rtf.exe; Star Office 8.exe; Teen
Porn 16.jpg.pif; The Sims 3 crack.exe; Ulead Keygen.exe; Virii
Sourcecode.scr; Visual Studio Net Crack.exe; Win Longhorn Beta.exe;
WinAmp 12 full.exe; Windows Sourcecode.doc.exe; WinXP eBook.doc.exe;
XXX hardcore pic.jpg.exe
Miscellaneous
Mutex:
It creates the following Mutex:
• [SkyNet.cz]SystemsMutex
String:
Furthermore it contains the following string:
• "<-<- we are the skynet - you can't hide yourself! - we kill malware writers (they have no chance!) - [LaMeRz-->]MyDoom.F is a thief of our idea! - -< SkyNet AV vs. Malware >- ->->"
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• Petite
