Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32/NetSky.N

Netsky.N is a typical mass-mailing eMail worm. The size is 33792 bytes and the worm is runtime compressed/ protected by tElock , a file protector with polymorphic layers, version 0.98 .
This threat is written in Microsoft Visual C, Version 6 using SP5 with CPU patch installed, the compiled worm binary shows typical Plain-C coding behavior.
This worm was 'improved' by a mid-skilled programmer, is full of bugs and contains no code optimizing compiling technologies.

Note: In what follows the %windir% string is used instead of the actual name of the Windows installation directory. The latter may differ on a case by case basis. The subdirectory System or System32 placed in %windir% has the name %system%

Installation and Autostart Techniques

Upon execution the worm copies itself into the Windows folder as " VisualGuard.exe ".
The worm creates a mutex " NetDy_Mutex_Psycho " to avoid multiple running instances of the worm on one machine.
The worm adds the following registry key to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"NetDy" = "%WINDOWS%\VisualGuard.exe"

If the worm finds one of the following values

Windows Services Host
system
service
Taskmon
Explorer
msgsvr32
DELETE ME
Sentry

at HKLM\Software\Microsoft\Windows\CurrentVersion\Run and/or system at HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices then the worm removes this startup value.
It removes also startup values at HKLM\Software\Microsoft\Windows\CurrentVersion\Run:

OLE, Taskmon, d3dupdate.exe, au.exe, Windows Services Host, sysmon.exe, rate.exe, srate.exe

Neksy.N also removes autostart values for other worms, trojans and viruses:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF - this is the Windows Parite file infector virus
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 - Backdoor component of MyDoom worms
HKLM\System\CurrentControlSet\Services\WksPatch - Nachiworm

Netsky.N creates several different self-copies in the %Windows% folder:

base64.tmp -represents the worm mime encoded as binary executable, 46308 bytes
zip1.tmp - represents the worm mime encoded in a zip archive, 46478 bytes
zip2.tmp - represents the worm mime encoded in a zip archive, 46490 bytes
zip3.tmp - represents the worm mime encoded in a zip archive, 46464 bytes
zip4.tmp - represents the worm mime encoded in a zip archive, 46646 bytes
zip5.tmp - represents the worm mime encoded in a zip archive, 46658 bytes
zip6.tmp - represents the worm mime encoded in a zip archive, 46670 bytes
zipped.tmp - represents the worm in a zip archive, 34054 bytes

eMail harvesting

The worm scans all fixed disks and collects email addresses out of files which match one of the following file extensions:

*.eml, *.txt, *.php, *.asp, *.wab, *.doc, *.sht, *.oft, *.msg, *.vbs, *.rtf, *.uin, *.shtm, *.cgi, *.dhtm,*.adb, *.tbb, *.dbx, *.pl, *.htm, *.html, *.jsp, *.wsh, *.xml

However, these extensions are pretty much useless because the worm has a bug regarding stringcat and compare with the WIN32_FIND_DATA results.
Apparently it seems that it is too much expectation that a malware author is to be able to deal with recursive findfirst/findnext functions without messing up the stack for string compares and using wrong string compare commands.
That said , the worm will always open and scan a file for email addresses when at least one character matches one of the characters in the file extension list in the correct order.
In technical facts that means the worm compares the file extention via 'instring function/substring function'.

Example: The worm will search for email addresses in files where the file extension matches *.htm, *.ht, *.h for instance.

DNS resolving

Netsky.N tries to contact the local registered DNS servers by using DNSAPI.DLL

eMail Sender

The sender email addresses are spoofed and may appear to be sent by a familiar source.
This worm uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other email addresses.

Note: The worm may also use " chris_sexana@aol.com " as the sender.

eMail subjects

Netsky.N constructs its eMail subjects as follows:

The worm always puts a "Re:" or a "Re: Re:" in front of the message subject. After this it may add "your" or "my" before it adds one of the following texts to the sub ject:

application
approved
approved
bill
corrected
data
details
document
document_all
excel document
file
hello
here
hi
important
important
improved
information
letter
message
patched
product
read it immediately
screensaver
text
thanks!
website
word document

Message Body

The eMail contains one of the following message texts:

Authentication required.
I have attached your document.
I have received your document. The corrected document is attached.
Please confirm the document.
Please read the attached file.
Please read the document.
Please read the important document.
Please see the attached file for details.
Requested file.
See the file.
Your details.
Your document is attached to this mail.
Your document is attached.
Your document.
Your file is attached.

followed by :

---------------------------------------------
{$attachment} : No virus found
Powered by the new Norton OnlineScan
Get protected: www.symantec.com

eMail Attachments

The worm attaches one of the following file names with a self-copy:

application_ $DEST
approved_ $DEST
bill_ $DEST
data_ $DEST
details_ $DEST
document_ $DEST
document_all_ $DEST
excel document_ $DEST
file_ $DEST
important_ $DEST
information_ $DEST
letter_ $DEST
message_ $DEST
product_ $DEST
screensaver_ $DEST
text_ $DEST
website_ $DEST
word document_ $DEST

Note: $DEST is the destination text of the "To" address before "@" in the eMail.

The file extension of the attached file can be ".pif", ".scr", ".zip" or ".exe"

Secret Message

The worm also contains a secret message ( which is attached after the file extension list but not displayed )

Thanks to the S*k*y*N*e*t alias *N*e*t*S*k*y* crew for the sourcecode.
We have rewritten *N*e*t*S*k*y.
Thats a good tactic to detroy the bagle and mydoom worms.
Our group will continue the war.
Malware writers'End'comes true.
Our Social Engineering is the best *lol* (You have no virus symantec says!).
----------------------------------------------------------------------------
We are greeting all russia people!
USA SUCKS!!! AFGHAN SUCKS 2!!! BURN, SADDAM! BURN IN HELL! AND YOU, OSAMA BIN LADEN,
BURN IN THE DEVILS FIRE 2!!!
SHAME ON YOU MR. BUSH!!!
 
YOURS SINCERELY: H.
---> THIS IS A MESSAGE FROM: *S*k*y**n*e+t.cz-FANATICON

1992-2005 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission