Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/NetSky.D

Win32/NetSky.D is an internet worm spreading in a form of an e-mail attachment. The size of the file is 17424 bytes.

The subject of the e-mail message is one of the following:

Re: Approved
Re: Details
Re: Document
Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website

The body of the message sent by the worm is randomly picked from the following list:

Here is the file.
Please have a look at the attached file
Please read the attached file.
See the attached file for details.
Your document is attached.
Your file is attached.

The name of the attachment may be one of the following:

all_document.pif
application.pif
document.pif
document_4351.pif
document_excel.pif
document_full.pif
document_word.pif
message_details.pif
message_part2.pif
mp3music.pif
my_details.pif
your_archive.pif
your_bill.pif
your_details.pif
your_document.pif
your_file.pif
your_letter.pif
your_picture.pif
your_product.pif
your_text.pif
your_website.pif
yours.pif

When executed, the worm copies itself into %windir%\winlogon.exe. Then it adds the following entry into the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ICQ Net" = "%windir"\winlogon.exe -stealth"

It creates and checks a mutex named "[SkyNet.cz]SystemsMutex" to make sure that only one copy of the worm is running.

The worm removes the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \Windows Services Host
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \d3dupdate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sentry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch

To obtain e-mail addresses for its spreading, it searches all local drives (except CD-ROM drives) for files with the following extensions:

.adb
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.msg
.oft
.php
.pl
.rtf
.sht
.shtm
.tbb
.txt
.uin
.vbs
.wab

and digs the addresses from them. It will not send itself to addresses which contain one of the following strings:

abuse
antivi
aspersky
avp
cafee
f-pro
f-secur
fbi
icrosoft
itdefender
messagelabs
orman
orton
skynet
spam
ymantec

On March 2nd 2004, between 6am and 9am, Win32/NetSky.D starts beeping.

It contains the following text:

"be aware! Skynet.cz - -->AntiHacker Crew<--"

Win32/NetSky.D is one of a long series of worms that NOD32 detects using a unique "Advanced Heuristics", which means that all NOD32 users are protected against this worm from the time it was released in the wild. The detection of Win32/NetSky.D using sample is added since version 1.642.