Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32/NetSky.X

Netsky.X is a typical mass-mailing e-mail worm with the size of 26112 bytes and runtime protected by tElock.

Note: in the following section instead of the name of the Windows system directory (that can differ from version to version) the symbolic name %windir% is used.

Installation and Autostart Techniques

Upon execution, the worm copies itself to the Windows folder as "FirewallSvr.exe".

Note: This filename is stored encrypted within the worm.

It also creates there the file "fuck_you_bagle.txt" which is 35784 bytes in size, and represents a MIME encoded version of the worm. The file is subsequently attached to the e-mails the worm sends out.
The worm creates a mutex "____--->>>>U<<<<--____" to avoid running multiple instances of the worm on one machine.

The worm adds the following key to the registry to ensure its automatic startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"FirewallSvr" = "%WINDOWS%\FirewallSvr.exe"

Note: The registry keys are stored encrypted within the worm. They are encrypted using the same
algorithm as the URL strings, the filename and the file extension strings.

The worm contains several encrypted strings inside:

ooo.nqcuk.uf ---> www.educa.ch
ooo.anqbmvw.cvh.nqc ---> www.medinfo.ufl.edu
ooo.mbebz.qn ---> www.nibis.de

and tries to perform a DoS attack against the aforementioned web servers if the system date is between 28th April and 30th April 2004.

Note: This is done via 3 threads, which are sending data to the port 80 of the target web servers.

The worm opens a TCP/IP port ( 82 ) and listens for incoming executable files which are executed directly after they've been received.
This enables the worm to update files and install more malicious files on the compromised system.

The worm scans all hard drives and harvests email addresses from files with any of the following extensions:

*.eml, *.txt, *.php, *.asp, *.wab, *.doc, *.sht, *.oft, *.msg, *.vbs, *.rtf, *.uin, *.shtm,
*.cgi, *.dhtm,*.adb, *.tbb, *.dbx, *.pl, *.htm, *.html, *.jsp, *.wsh, *.xml, *.cfg,
*.mbx, *.mdx, *.mht, *.mmf, *.nch, *.ods, *.stm, *.xls, *.ppt

Note: The file extensions are stored in encrypted form in the worm too. They are encrypted with the same algorithm as the URL, registry and file related strings.
DNS Resolving

The worm attempts to use the default DNS server to retrieve the IP address of the email server. If failed, the worm will be sending its DNS Queries to servers with the following IP's:

212.185.252.73
212.185.253.70
212.185.252.136
194.25.2.129
194.25.2.130
195.20.224.234
217.5.97.137
194.25.2.129
193.193.144.12
212.7.128.162
212.7.128.165
193.193.158.10
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
193.141.40.42
145.253.2.171
193.189.244.205
213.191.74.19
151.189.13.35
195.185.185.195
212.44.160.8

Note: If the e-mail address matches whatever@domain.de, it will first attempt to retrieve the IP address of the server domain.de before it uses one of the static DNS servers listed above.

e-Mail Subjects, e-Mail Message Bodies and Attachments

If the top-level domain is the German domain (.de):
Subject: Re: dokument
Message: Bitte lesen Sie das Dokument.
Attachment: dokument.pif

If the top-level domain is the French domain (.fr):
Subject: Re: document
Message: Veuillez lire le document.
Attachment: document.pif

If the top-level domain is the Italian domain (.it):
Subject: Re: documento
Message: Legga prego il documento.
Attachment: documento.pif

If the top-level domain is the Portuguese domain (.pt):
Subject: Re: original
Message: Leia por favor o original.
Attachment: original.pif

If the top-level domain is the Norwegian domain (.no):
Subject: Re: dokumentet
Message: Behage lese dokumentet.
Attachment: dokumentet.pif

If the top-level domain is the Polish domain (.pl):
Subject: Re: udokumentowac
Message: Podobac sie przeczytac ten udokumentowac.
Attachment: udokumentowac.pif

If the top-level domain is the Finnish domain (.fi):
Subject: Re: dokumentoida
Message: Haluta kuulua dokumentoida.
Attachment: dokumentoida.pif

If the top-level domain is the Swedish domain (.se):
Subject: Re: dokumenten
Message: Behaga losa dokumenten.
Attachment: dokumenten.pif

If the top-level domain is the Turkish domain (.tc):
Subject: Re: belge
Message: mutlu etmek okumak belgili tanimlik belge.
Attachment: belge.pif

For all other domains the worm uses the following default English strings:
Subject: Re: document
Message: Please read the document.
Attachment: document.pif

Note: The worm propagates with spoofed/faked addresses and uses its own SMTP engine.
It sends copies to hukanmikloiuo@yahoo.com.

1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.