Store
|
Contact Norman
|
About Norman
|
Select location
Corporate
Norge
France
Deutschland
Sverige
Danmark
Suomi
Nederland
Schweiz
España
United States
United Kingdom
Italia
Proactive IT security
Home & Home office Small / Medium business Enterprise Our technology Security center Norman as a business partner Support   Partner web
Home
>
Security center
>
Virus descriptions
>
W32/Netsky.Q@mm
Norman SandBox center
Submit file for SandBox analysis
Search malware analysis database
View latest SandBox analysis
Malware statistics
Virus descriptions
Security articles - archive
Malware types
Threat level
Current virus threats
Security blog
Email statistics
Books, general white papers etc.

W32/Netsky.Q@mm

Threat risk

Threat risk low
Detection files published: 29-Mar-2004
Description created: 2004-03-30
Description updated: 2004-03-30
Malware type: Worm
Alias: W32/Netsky.Q
Spreading mechanism Email
Payload:
Summary
Netsky.Q is a mass mailing worm compressed with Petite to a filesize of 28,008 bytes.
Spreading description
Email characteristics:

Subject: Variable
Body: Variable
Attachment: Variable
When Netsky.Q is executed it copies itself to %WINDIR%\SysMonXp.exe and creates the following registry value to ensure it is started with Windows.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sysmonxp = "%WINDIR%\SysMonXP.exe"
 
The worm will then copy its SMTP engine to %WINDIR%\firewalllogger.txt, which is a UPX packed DLL.
 
Netsky will then launch Notepad.exe to display the contents of  “temp.eml", which may or may not exist.
 
Next the worm creates Base64 encoded copies of itself which are stored in the %WINDIR% directory with the following file names:
 
  • zipo0.txt
  • zipo1.txt
  • zipo2.txt
  • zipo3.txt
  • base64.tmp
 
In addition to the BASE64 encoded files Netsky.Q will also create the file %WINDIR%\zippedbase64.tmp, which is a WinZip archive containing an uncompressed copy of itself.
 
Netsky then searches for e-mail addresses in files with the following extension:
 
  • .ppt
  • .xls
  • .stm
  • .ods
  • .nch
  • .mmf
  • .mht
  • .mdx
  • .mbx
  • .cfg
  • .xml
  • .wsh
  • .jsp
  • .html
  • .htm
  • .pl
  • .dbx
  • .tbb
  • .adb
  • .dhtm
  • .cgi
  • .shtm
  • .uin
  • .rtf
  • .vbs
  • .msg
  • .oft
  • .sht
  • .doc
  • .wab
 
Netsky will check each e-mail address to ensure it does not contain any of these strings:
 
  • reports@
  • spam@
  • noreply@
  • @viruslis
  • ntivir
  • @sophos
  • @freeav
  • @pandasof
  • @skynet
  • @messagel
  • abuse@
  • @fbi
  • @norton
  • @f-pro
  • @kaspersky
  • @mcafee
  • @norman
  • @bitdefender
  • @f-secur
  • @avp
  • @spam
  • @symantec
  • @antivi
  • @microsof
 
The worm then proceeds to mail itself to all of the harvested e-mail addresses. The subject line, body text and attachment name vary, and are composed from various word-lists.
 
Subject:
 
The subject line is one of the following strings with the recipient name appended in parenthesis:
 
  • Server Error   
  • Deliver Mail   
  • Delivery Failed
  • Unknown Exception  
  • Failed
  • Failure Status 
  • Error  
  • Delivered Message  
  • Mail System Mail Delivery System
  • Mail Delivery failure  
  • Delivery   
  • Delivery Failure   
  • Delivery Error
  • Delivery Bot
 
Body:
 
The first part of the body is one of the following strings:
 
  • Delivery Agent - Translation failed Delivery Failure - Invalid mail specification  
  • Mail Delivery Failure - This mail couldn't be shown
  • Mail Delivery System - This mail contains binary characters
  • Mail Transaction Failed - This mail couldn't be converted  
  • Mail Delivery Error - This mail contains unicode characters
  • Mail Delivery Failed - This mail couldn't be represented   
  • Mail Delivery - This mail couldn't be displayed
 
The next part of the body is the following string:
 
------------- failed message ------------- 
 
The final section of the body text is one of the following strings:
 
  • Received message has been sent as a binary file.
  • Modified message has been sent as a binary attachment. 
  • Received message has been sent as an encoded attachment.   
  • Translated message has been attached.  
  • Message has been sent as a binary attachment.  
  • Received message has been attached.
  • Partial message is available and has been sent as a binary attachment. 
  • The message has been sent as a binary attachment.
Netsky may also append a URL to the end of the body text, which will execute the worm if clicked on. The URL is in the format:
 
www.[recipient domain name]/inmail/[recipient user name]/mread.php?sessionid-[random numbers]
 
Attachment:
 
The first part of the attachment name is selected from these strings:
 
  • data
  • mail
  • msg
  • message
 
followed by a random number and then one of the following file extensions:
 
  • .pif
  • .scr
  • .zip
  • .eml

In most cases where Netsky sends itself in a zip file the attachment name has a .eml extension followed by 100 blank spaces and a .scr extension. This is an attempt to fool people into running the worm.

Threat description
In an attempt to prevent other worms from running Netsky deletes the following values:
 
  • Explorer
  • system.
  • msgsvr32
  • au.exe
  • winupd.exe
  • direct.exe
  • jijbl
  • Video
  • service
  • DELETE ME
  • d3dupdate.exe
  • OLE
  • Sentry
  • gouday.exe
  • rate.exe
  • Taskmon
  • Windows Services Host
  • sysmon.exe
  • srate.exe
  • ssate.exe
  • Microsoft IE Execute shell
  • Winsock2 driver
  • ICM version
  • yeahdude.exe
  • Microsoft System Checkup
 
From the following keys:
 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm will also delete the following registry keys:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\PINF
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch
  • HKEY_CLASSES_ROOT\CLSID\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Netsky.Q will also attempt to perform a DoS attack against the following sites between 7-Apr-2004 and 12-Apr-2004 using HTTP GET requests:
 

  • www.cracks.st
  • www.edonkey2000.com
  • www.kazaa.com
  • www.emule-project.net
  • www.cracks.am

Netsky exploits the “Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability within Internet Explorer, which will enable the worm to auto-execute on unpatched systems. For further information on this exploit please see Microsoft Security Bulletin MS01-020.

 
Also, on the 30-Mar-2004 between 5:00AM and 11:00AM Netsky.Q will cause the system to beep at a random pitch and frequency every 50 ms.
Removal
Netsky.Q is detected and removed with definitions files later than 29-Mar-04. The DLL component is detected as W32/Netsky.P and removed with definition files later than 22-Mar-2004.

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Type Title Comment Usage
Norman Malware Cleaner    
Stopping network share infectors    
Cleaning of back-up folders on Windows Me and XP    
Print
Privacy policy
|
License agreement
|
Trademarks
|
Sitemap
FacebookTwitterYouTubeLinkedIn