F-Secure Virus Descriptions : NetSky.P
[Summary] | [Disinfection] | [Detailed Description] | [Detection]
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
Netsky.P worm variant was discovered on March 21st, 2004. It
spreads itself inside a dropper, that extracts the main worm's
file to a hard drive when it is run. This variant is functionally
similar to the previous variants, however it has some new
features. The worm can spread in e-mail, local and peer-to-peer
networks and to ftp and http server folders.
F-Secure provides the special disinfection utility to eliminate
Netsky.P worm infection. You can download this utility from our
ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip
Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt
System administrators who are using F-Secure Policy Manager,
can distribute the tool as a JAR package automatically to all
workstations.
System administrators can download the JAR version from:
http://www.europe.f-secure.com/tools/f-netsky.jar
ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar
The worm's file is spread as a dropper that is a Windows PE
executable 29568 bytes long, packed with FSG file. When the
dropper is run, it extracts the main worm's file that is 26624
bytes long and is packed with a modified UPX file compressor.
That file is a DLL, so Netsky authors started to use a new
approach to installing the worm to a system.
Installation to system
Upon execution Netsky.P copies itself as FVPROTECT.EXE file to
Windows folder and then extracts the main worm component as
USERCONFIG9X.DLL to the same folder. The worm adds a startup key
for one of the dropped files into System Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norton Antivirus AV" = "%WinDir%\fvprotect.exe"
where %WinDir% represents Windows folder name.
Additionally the worm drops the following files into Windows
folder:
zipped.tmp
base64.tmp
zip1.tmp
zip2.tmp
zip3.tmp
These files contain UUEncoded worm's executable file and ZIP
archives (3 different variants). These 3 archives contain worm's
executables with the following names:
document.txt <lots of spaces> .exe
data.rtf <lots of spaces> .scr
details.txt <lots of spaces> .pif
Spreading in e-mail
Before spreading in e-mail the worm collects e-mail addresses. It
scans all files on all drives from C: to Z: except CD-ROM drives.
If any file with the following extensions is found, the worm
opens it and searches for e-mail addresses there:
.pl
.htm
.html
.eml
.txt
.php
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.sht
.oft
.msg
.jsp
.wsh
.xml
The worm avoids sending e-mails to addresses that contain the
following substrings:
@microsof
@antivi
@symantec
@spam
@avp
@f-secur
@bitdefender
@norman
@mcafee
@kaspersky
@f-pro
@norton
@fbi
abuse@
@messagel
@skynet
@pandasof
@freeav
@sophos
ntivir
@viruslis
noreply@
spam@
reports@
The worm composes over 30 different types of e-mails. Subjects,
body texts and attachment names are randomly selected from the
variants that are hardcoded in the worm's body. These are the
variants of the messages that the worm can send out:
Subject:
Re: Hi
Re: Hello
Body:
Please confirm!
Please answer quickly!
Attachment:
detail3.<ext>
document_all02c.<ext>
summary2004.<ext>
----------------- or -----------------
Subject:
Re: Request
Body:
Thank you for your request, your details are attached!
Thanks!
Attachment:
details05.<ext>
data02.<ext>
all_in_all.<ext>
----------------- or -----------------
Subject:
Shocking document
You cannot do that!
Body:
I am shocked about your document!
Let'us be short: you have no experience in writing letters!!!
Attachment:
document05.<ext>
your_document.<ext>
document_with_notice.<ext>
----------------- or -----------------
Subject:
hi
hello
Body:
Try this, or nothing!
Here is it!
Attachment:
document05.<ext>
game_xxo.<ext>
websites03.<ext>
----------------- or -----------------
Subject:
Fwd: Warning again
Notice again
Body:
Do not visit this illegal websites!
You have downloaded these illegal cracks?.
Attachment:
abuselist.<ext>
abuses.<ext>
websites01.<ext>
----------------- or -----------------
Subject:
Re: List
Re: Question
Body:
Here is my icq list.
Here is my phone number.
Attachment:
my_list01.<ext>
my_numbers.<ext>
archive.<ext>
----------------- or -----------------
Subject:
Spamed?
Spam
Body:
I have visited this website and I found you in the spammer list. Is that true?
Are you a spammer? (I found your email on a spammer website!?!)
Attachment:
websitelist01.<ext>
list_ed.<ext>
abuse_list.<ext>
----------------- or -----------------
Subject:
0i09u5rug08r89589gjrg
Body:
po44u90ugjid-k9z5894z0
9u049u89gh89fsdpokofkdpbm3-4i
Attachment:
id04009.<ext>
id43342.<ext>
id09509.<ext>
----------------- or -----------------
Subject:
<random>
Body:
<random>
Attachment:
important.<ext>
details.<ext>
message.<ext>
----------------- or -----------------
Subject:
Re: A!p$ghsa
Important m$6h?3p
Body:
Please r564g!he4a56a3haafdogu#mfn3o
SMTP Error #201
See the ghg5%&6gfz65!4Hf55d!46gfgf
Server Error #203
Attachment:
important.<ext>
details03.<ext>
document07.<ext>
----------------- or -----------------
Subject:
Do you?
Does it matter?
Body:
Your photo, uahhh.... , you are naked!
You have written a very good text, excellent, good work!
Attachment:
text01.<ext>
details.<ext>
d4334938.<ext>
----------------- or -----------------
Subject:
News
Information
Body:
Your archive is attached.
Monthly news report.
Attachment:
news01.<ext>
info02.<ext>
report01.<ext>
----------------- or -----------------
Subject:
I love you!
I cannot forget you!
Body:
lovely, :-)
your big love, ;-)
Attachment:
letter43.<ext>
story.<ext>
photo.<ext>
----------------- or -----------------
Subject:
Re: Proof of concept
Re: Developement
Body:
I hope you accept the result!
The sample is attached!
Attachment:
document09.<ext>
part_01.<ext>
doc_word3.<ext>
----------------- or -----------------
Subject:
Re: Message
Re: Error in document
Body:
Your important document, correction is finished!
Important message, do not show this anyone!
Attachment:
attach.<ext>
document.<ext>
message.<ext>
----------------- or -----------------
Subject:
Re: Free porn
Re: Sex pictures
Body:
Here is the website. ;-)
My favourite page.
Attachment:
www.freeporn4all.<ext>
www.myx4free.<ext>
----------------- or -----------------
Subject:
Re: Submit a Virus Sample
Re: Virus Sample
Body:
The sample file you sent contains a new virus version of mydoom.j.
Please clean your system with the attached signature.
Sincerly,
Robert Ferrew
The sample file you sent contains a new virus version of buppa.k.
Please update your virus scanner with the attached dat file.
Best Regards,
Keria Reynolds
Attachment:
signature.<ext>
datfiles.<ext>
----------------- or -----------------
Subject:
Re: Old times
Re: Old photos
Body:
Greetings from france,
your friend.
Have a look at these.
Attachment:
old_photos.<ext>
letter.<ext>
----------------- or -----------------
Subject:
Postcard
Your day
Body:
Best wishes,
your friend.
Congratulations!,
your best friend.
Attachment:
postcard.<ext>
letter.<ext>
----------------- or -----------------
Subject:
Re: Sample
Re: Question
Body:
I have corrected your document.
I have attached the sample.
Attachment:
sample01.<ext>
doc01.<ext>
word_doc.<ext>
document04.<ext>
----------------- or -----------------
Subject:
Thank you!
Congratulations!
Body:
Your bill is attached to this mail.
You were registered to the pay system.
For more details see the attachment.
Attachment:
bill.<ext>
list.<ext>
confirm.<ext>
details.<ext>
----------------- or -----------------
Subject:
Illegal Website
Internet Provider Abuse
Body:
I noticed that you have visited illegal websites.
See the name in the list!
You have visited illegal websites.
I have a big list of the websites you surfed.
Attachment:
list.<ext>
abuselist.<ext>
judge.<ext>
readme.<ext>
details.<ext>
----------------- or -----------------
Subject:
Mail Account
Administrator
Body:
Your mail account is expired.
See the details to reactivate it.
Your mail account has been closed.
For further details see the document.
Attachment:
account.<ext>
readme.<ext>
details.<ext>
----------------- or -----------------
Subject:
Re: Hi
Re: Its me
Body:
The file is protected with the password ghj001.
I have attached your file. Your password is jkl44563.
Attachment:
document.<ext>
document43.<ext>
priv.<ext>
letter32.<ext>
data20.<ext>
mails9.<ext>
your_doc.<ext>
my_details.<ext>
----------------- or -----------------
Subject:
Private document
Stolen document
Body:
I found this document about you.
I cannot believe that.
Attachment:
document342.<ext>
your_document.<ext>
about_you.<ext>
----------------- or -----------------
Subject:
Hello
Hi
Body:
Try this game ;-)
I hope the patch works.
Attachment:
game.<ext>
patch3425.<ext>
application.<ext>
software.<ext>
----------------- or -----------------
Subject:
Mail Delivery (failure)
Error
Body:
Binary message is available.
Message has been sent as a binary attachment.
Attachment:
message.<ext>
msg.<ext>
data.<ext>
letter.<ext>
email.<ext>
----------------- or -----------------
Subject:
Re: Is that your document?
Is that your password?
Body:
Can you confirm it?
I have attached it to this mail.
Attachment:
document.<ext>
pwd02.<ext>
document01.<ext>
part6.<ext>
private_01.<ext>
----------------- or -----------------
Subject:
Re: Approved document
Re: Your document
Body:
Please read the attached file.
Your document is attached.
Attachment:
file.<ext>
your_document.<ext>
about_you.<ext>
document04.<ext>
msg.<ext>
all_doc01.<ext>
document.<ext>
approved.<ext>
improved.<ext>
corrected.<ext>
----------------- or -----------------
Subject:
Protected Mail System
Mail Authentication
Body:
Encrypted message is available.
Protected message is attached.
Attachment:
pgp_sess01.<ext>
encrypted_msg01.<ext>
document.<ext>
message.<ext>
msg.<ext>
----------------- or -----------------
Subject:
Re: Mail Authentification
Re: Delivery Protection
Re: Secure delivery
Re: Protected Mail Delivery
Re: Protected Mail System
Re: Protected Mail Request
Re: Secure SMTP Message
Re: Extended Mail System
Re: Error
Re: Message Error
Re: Administration
Re: Test
Re: Thank you for delivery
Re: Failure
Re: Bad Request
Re: Delivery Server
Re: Mail Server
Re: SMTP Server
Re: Notify
Re: Status
Re: Extended Mail
Re: Encrypted Mail
Body:
Please confirm my request.
ESMTP [Secure Mail System #334]: Secure message is attached.
Partial message is available.
Waiting for a Response. Please read the attachment.
First part of the secure mail is available.
For more details see the attachment.
For further details see the attachment.
Your requested mail has been attached.
Protected Mail System Test.
Secure Mail System Beta Test.
Forwarded message is available.
Delivered message is attached.
Encrypted message is available.
Please read the attachment to get the message.
Follow the instructions to read the message.
Please authenticate the secure message.
Protected message is attached.
Waiting for authentification.
Protected message is available.
Bad Gateway: The message has been attached.
SMTP: Please confirm the attached message.
You got a new message.
Now a new message is available.
New message is available.
You have received an extended message. Please read the instructions.
Attachment:
message.<ext>
msg.<ext>
details.<ext>
data.<ext>
document.<ext>
readme.<ext>
----------------- or -----------------
Subject:
here
hi
hello
thanks!
approved
corrected
patched
improved
important
read it immediately
Body:
Your details.
Your document.
I have received your document. The corrected document is attached.
I have attached your document.
Your document is attached to this mail.
Authentication required.
Requested file.
See the file.
Please read the important document.
Please confirm the document.
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file!
Please see the attached file for details.
Attachment:
your
my
approved
important
combined with the following:
document.<ext>
file.<ext>
details.<ext>
information.<ext>
letter.<ext>
product.<ext>
website.<ext>
application.<ext>
screensaver.<ext>
bill.<ext>
word document.<ext>
excel document.<ext>
data.<ext>
message.<ext>
text.<ext>
document_all.<ext>
The <ext> represents the extension that can be single or double. The
first extension can be:
.txt
.doc
The second extension can be:
.pif
.exe
.scr
The infected attachment name can contain random numbers and can
be sent in a ZIP archive.
The worm can add a fake scan report to the end of an infected
message. The following variants of scan report are used:
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com
++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com
++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com
++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de
The worm can send messages with an IFrame Exploit that allows the
worm's attachment MESSAGE.SCR to be automatically run on certain
versions of e-mail clients.
Spreading to LAN and P2P networks, ftp and http server folders
The worm scans all drives from C: to Z: except CD-ROM drives. If
it finds folders with any of the following names:
my shared folder
download
ftp
htdocs
http
upload
shar
icq
bear
lime
morpheus
donkey
mule
kazaa
shared files
it copies itself there multiple times with the following names:
Kazaa Lite 4.0 new.exe
Britney Spears Sexy archive.doc.exe
Kazaa new.exe
Britney Spears porn.jpg.exe
Harry Potter all e.book.doc.exe
Britney sex xxx.jpg.exe
Harry Potter 1-6 book.txt.exe
Britney Spears blowjob.jpg.exe
Harry Potter e book.doc.exe
Britney Spears cumshot.jpg.exe
Harry Potter.doc.exe
Britney Spears fuck.jpg.exe
Harry Potter game.exe
Britney Spears.jpg.exe
Harry Potter 5.mpg.exe
Britney Spears and Eminem porn.jpg.exe
Matrix.mpg.exe
Britney Spears Song text archive.doc.exe
Britney Spears full album.mp3.exe
Eminem.mp3.exe
Britney Spears.mp3.exe
Eminem Song text archive.doc.exe
Eminem Sexy archive.doc.exe
Eminem full album.mp3.exe
Eminem Spears porn.jpg.exe
Ringtones.mp3.exe
Eminem sex xxx.jpg.exe
Ringtones.doc.exe
Eminem blowjob.jpg.exe
Altkins Diet.doc.exe
Eminem Poster.jpg.exe
American Idol.doc.exe
Cloning.doc.exe
Saddam Hussein.jpg.exe
Arnold Schwarzenegger.jpg.exe
Windows 2003 crack.exe
Windows XP crack.exe
Adobe Photoshop 10 crack.exe
Microsoft WinXP Crack full.exe
Teen Porn 15.jpg.pif
Adobe Premiere 10.exe
Adobe Photoshop 10 full.exe
Best Matrix Screensaver new.scr
Porno Screensaver britney.scr
Dark Angels new.pif
XXX hardcore pics.jpg.exe
Microsoft Office 2003 Crack best.exe
Serials edition.txt.exe
Screensaver2.scr
Full album all.mp3.pif
Ahead Nero 8.exe
netsky source code.scr
E-Book Archive2.rtf.exe
Doom 3 release 2.exe
How to hack new.doc.exe
Learn Programming 2004.doc.exe
WinXP eBook newest.doc.exe
Win Longhorn re.exe
Dictionary English 2004 - France.doc.exe
RFC compilation.doc.exe
1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
Keygen 4 all new.exe
Windows 2000 Sourcecode.doc.exe
Norton Antivirus 2005 beta.exe
Gimp 1.8 Full with Key.exe
Partitionsmagic 10 beta.exe
Star Office 9.exe
Magix Video Deluxe 5 beta.exe
Clone DVD 6.exe
MS Service Pack 6.exe
ACDSee 10.exe
Visual Studio Net Crack all.exe
Cracks & Warez Archiv.exe
WinAmp 13 full.exe
DivX 8.0 final.exe
Opera 11.exe
Internet Explorer 9 setup.exe
Smashing the stack full.rtf.exe
Ulead Keygen 2004.exe
Lightwave 9 Update.exe
The Sims 4 beta.exe
This feature allows the worm to spread to local network, to
shared folders of P2P (peer-to-peer) clients and to ftp and http
server folders (if such servers are present on an infected
computer or on computers that have open shares with an infected
one). Additionally it allows the worm to copy itself multiple
times on a local hard disk.
Deleting Registry keys and disinfecting Bagle worm
NetSky.P worm variant of the worm deletes the following Registry
keys:
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]
[HKLM\System\CurrentControlSet\Services\WksPatch]
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
system.
Video
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
system.
msgsvr32
winupd.exe
direct.exe
jijbl
Video
service
DELETE ME
Taskmon
Explorer
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
OLE
Sentry
Taskmon
Windows Services Host
Explorer
gouday.exe
au.exe
direct.exe
d3dupdate.exe
rate.exe
sysmon.exe
srate.exe
ssate.exe
winupd.exe
NetSky.P worm removes Registry keys of several Bagle worm
variants if it finds them on an infected computer. At least the
last 9 keys listed above belong to earlier Bagle variants.
This worm variant contains another insulting message for the
author of Bagle worm.
Detection of Netsky.P worm was published on March 21st, 2004 in
the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-03-21_01
Technical Details:
Alexey Podrezov, March 21st, 2004;
Description Updated:
Alexey Podrezov, March 29th, 2004;
F-Secure Corporation
|
