Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/NetSky.C

Win32/NetSky.C is an internet worm spreading via e-mail messages, P2P networks or shared network drives.

The message carrying the worm is generated randomly.
Its subject can be chosen from both of the following lists, the body of the message is picked only form the second one. Both the subject and the body can also be blank.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system

Subject of the message sent by the worm can be one of the following:

Delivery Failed
Here is it
I'm back!
Question
Re: <5664ddff?$??ΕΎ2>
Re: Re: Re: Re:
Re: does it?
Re: does it?
Re: excuse me
Re: hello
Re: hey
Re: hi
Re: important
Re: information
Re: unknown
Status
Yep
believe me
dear
denied!
error
exception
excuse me
fake?
good morning
hello
hey
hi
illegal...
important
info
its me
last chance!
lol
moin
notice!
notification
oh
private?
question
re:
read it immediatelly
report
something for you
stolen
take it
trust me
warning
what's up?
you?

The body of the message contains some of the sentences below:

*lol*
;-)
<...>
<09580985869gj>
<<<Failure>>>
<?}
<Antispam complete>
<Attached Msg>
<Attachment Signature 34933920>
<Attachment from Poland>
<Automailer>
<Click the attachment to decrypt>
<Deliver Error>
<Failed message available>
<Mail failed>
<Message Error>
<Server Error>
<Transfer complete>
<Warning from the Government>
<bad gateway>
<null>
<scanned by norton antivirus>
Antispam is turned off. See file!
Authentification required. Read the att
File is bad.
File is damaged.
File is self-decryting.
I 've found your bill!
I don't know your document!
I have your password!
I wait for an answer!
Instant patches.
Login required! Read the attachment!
Microsoft
Transaction failed. Show the doc!
You are infected. Read the details!
Your bill.
Your provider will be disabled!
a crazy doc about you
abuse?
account?
already?
another pic, have fun! ... :->
are you a photographer?
are you a teacherin the picture?
are you cranky?
are you the naked one?
are you the naked person!
are you the one?
attachi#
be mad?
best?
bob the builder
child or adult?
child porn?
classroom test of you?
copyright?
correct it!
did you ask me for that?
did you know from this document?
did you know that?
did you see her already?
did you sent it to me?
do not give up!
do not open the attachment!
do not show this anyone!
do not use my document!
do not use this creditcard!
do not visit the pages on the list I se
do you have an orgasm in the picture?
do you have sex in the picture?
do you have the bug also?
do you have?
do you know the thief?
do you know this????
do you think so?
doc about me?
doc?
docs?
does it belong to you?
does it belong to you?
does it match?
does it matter?
drugs? ...
excellent!
explain!
fast food...
feel free to use it.
forgotten?
from the chatter (my photo!)
from your lover ;-)
gonna?
good work!
great job!
great xxx!
great!
greetings
help attached
her.
here is it.
here is my advice.
here is my photo!
here is the $%%454$
here is the <censored>
here is the document.
here is the next one!
here is yours!
here, the cheats
here, the introduction
here, the serials
how?
i am desperate
i am speachless about your document!
i don't think so.
i don't want your xxx pics!
i found that about you!
i found this document about you.
i have received this.
i hope thats not true!
i know your document!
i like your doc!

i lost that
i need you!
i saw you last week!
i wait for your comment about it.
i want more...
i've found it about you
illegal st. of you?
important?
in your mind?
incest?
information about you?
instruct me about this!
is that criminal?
is that possible?
is that the reality?
is that true?
is that your TAN?
is that your account?
is that your account?
is that your attachment?
is that your beast?
is that your car?
is that your car?
is that your cd?
is that your creditcard?
is that your domain?
is that your family?
is that your finger?
is that your message?
is that your name?
is that your photo?
is that your porn pic?
is that your privacy?
is that your slip?
is that your website?
is that your wife?
is that your work?
is that yours?
is the pic a fake?
is this information about you?
it's a secret!
it's so similar as yours!
its private from me
kill him on the picture!
kill the writer of this document!
let it!
lets talk about it!
love letter?
man or women?
meaning of that?
message?
misc. and so on. see you!
modifications?
money?
msg
my advice....
never!
new patch is available!
ok...
old photos about you?
only encrypted!
pages?
personal message!
picture?
poor quality!
possible?
pretty pic about you?
pwd?
read it immediately!
read the details.
really?
reply
schoolfriend?
see this!
see your name!
solve the problem!
something about you!
something is going ...
something is going wrong!
something is not ok
stuff about you?
such as yours?
take it easy!
tell me more about your document!
test it
that is interesting...
that's a funny text.
that's not the truth?
thats wrong!
the information is wrong!
the truth?
this file is bad!
this is an attachment message!
this is nothing for kids!
time to fear?
trial?
try this patch!
what do you think about it?
what means that?
what still?
what?
who?
why should I?
why?
wrong calculation! (see the attachment!
xxx ?
xxx about you?
xxx service
yes.
you are a bad writer
you are bad
you are naked in this document!
you are sexy in this doc!
you cannot hide yourself! (see photo)
you earn money, see the attachment!
you feel the same.
you have a sexy body in the pic!
you have done a mistake in the document
you have tried to steal!
you look like an ape!
you look like an rat?
you won the rk!
your TAN number?
your account is expired!
your are naked?
your attachment? verify it.
your body?
your design is not good!
your document is not good
your document is silly!
your eyes?
your face?
your hero in the picture?
your icq number?
your job? (I found that!)
your lie is going around the world!
your name is wrong!
your personal record?
your photo is poor
yours?

Name of the attachment is picked at random from the following list:

454543403
aboutyou
associal
attach2
attachment
auction
bill
birth
card
class_photos
concert
creditcard
death
description
details
dinner
disco
doc_ang
document
final
found
freaky
friend
image
incest
information
injection
intimate stuff
jokes
letter
location
mail2
mails
masturbation
material
message
misc
moonlight
more
msg2
music
myaunt
mydate
naked1
naked2
news
nomoney
note
nothing
number_phone
object
old_photos
part2
party
paypal
portmoney
poster
posting
privacy
product
ranking
regards
regid
release
response
schock
secrets
sexual
sexy
shower
story
stuff
swimmingpool
talk
tear
textfile
topseller
transfer
trash
undefinied
unfolds
update
violence
visa
warez
webcam
website
wife
word_doc
worker
your_stuff
yours

The filename usually has two extensions.
The 1st extension is one of the following:

.txt
.rtf
.doc
.htm

The 2nd extension is picked from the list below::

.pif
.com
.scr
.exe

The attachment can either be an executable or a ZIP archive containing the worm.
If it's an archive, itsextension is ".zip".

The worm spreads by sending itself to e-mail addresses found in files with the following extensions:

.dhtm
.cgi
.shtm
.msg
.oft
.sht
.dbx
.tbb
.adb
.doc
.wab
.asp
.uin
.rtf
.vbs
.html
.htm
.pl
.php
.txt
.eml

The addresses containing one of the following strings are avoided:

abuse
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
spam
ymantec
antivi
icrosoft

If a directory containing the string "shar" in its name is found, the worm copies itself in it using the following filenames:

1000 Sex and more.rtf.exe
3D Studio Max 3dsmax.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Adobe Premiere 9.exe
Ahead Nero 7.exe
Best Matrix Screensaver.scr
Clone DVD 5.exe
Cracks & Warez Archive.exe
Dark Angels.pif
Dictionary English - France.doc.exe
DivX 7.0 final.exe
Doom 3 Beta.exe
E-Book Archive.rtf.exe
Full album.mp3.pif
Gimp 1.5 Full with Key.exe
How to hack.doc.exe
IE58.1 full setup.exe
Keygen 4 all appz.exe
Learn Programming.doc.exe
Lightwave SE Update.exe
MS Service Pack 5.exe
Magix Video Deluxe 4.exe
Microsoft Office 2003 Crack.exe
Microsoft WinXP Crack.exe
Norton Antivirus 2004.exe
Opera.exe
Partitionsmagic 9.0.exe
Porno Screensaver.scr
RFC Basics Full Edition.doc.exe
Screensaver.scr
Serials.txt.exe
Smashing the stack.rtf.exe
Star Office 8.exe
Teen Porn 16.jpg.pif
The Sims 3 crack.exe
Ulead Keygen.exe
Virii Sourcecode.scr
Visual Studio Net Crack.exe
Win Longhorn Beta.exe
WinAmp 12 full.exe
WinXP eBook.doc.exe
Windows Sourcecode.doc.exe
XXX hardcore pic.jpg.exe

In order to ensure that only one instance of the worm is running a mutex called "[SkyNet.cz]SystemsMutex" is created.

The worm copies itself in the %windir% folder using a name "winlogon.exe". An entry called "ICQ Net" is created in the Registry key

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Its value is "%windir%\winlogon.exe -stealth". This way, the worm is executed every time the Windows starts.

The following entries are deleted form the Registry database:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \Windows Services Host
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \d3dupdate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sentry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch

The worm contains a simple payload. On February 26th 2004, between 6:00 and 9:00 AM, the computer beeps.

The worm contains the text below:

<-<- we are the skynet - you can't hide yourself! - we kill malware writers (they have no chance!) - [LaMeRz-->]MyDoom.F is a thief of our idea! - -< SkyNet AV vs. Malware >- ->->