FANDOM


Netsky is a worm on the Microsoft Windows operating system notable for the fact that it has many variants and spreads very easily. It is also notable for its P variant staying at number 1 of many lists of prevalent viruses and worms for two years, with Netsky.D following close behind. Some of its variants deleted other worms, making it a helper. The virus was made by the creator of the Sasser worm.

Behavior

Netsky can arrive in an email with six possible spoofed sender lines:

  • eBay Auctions <responder@ebay.com>
  • Yahoo Auctions <auctions@yahoo.com>
  • Amazon automail <responder@amazon.com>
  • MSN Auctions <auctions@msn.com>
  • QXL Auctions <responder@qxl.com>
  • eBay Auctions <responder@ebay.com>

The subject line reads, "Auction successful!". The message says:

  #----------------- message was sent by automail agent ------------------#
  
  
  Congratulations!


  You were successful in the auction.

  Auction ID       :<3 sets of 4 random numbers>-A
  Product ID       :<3 sets of 4 random numbers>-P

  A detailed description about the product and the bill
  are attached to this mail.
  Please contact the seller immediately.

  Thank you!

The attachment could be one of the following:

  • prod_info_04155.bat
  • prod_info_04650.bat
  • prod_info_33462.cmd
  • prod_info_33967.cmd
  • prod_info_42313.pif
  • prod_info_42314.pif
  • prod_info_42818.pif
  • prod_info_49146.exe
  • prod_info_49541.exe
  • prod_info_54234.scr
  • prod_info_54235.scr
  • prod_info_54739.scr
  • prod_info_33325.txt.exe.zip
  • prod_info_33543.rtf.scr.zip
  • prod_info_34157.htm.exe.zip
  • prod_info_43631.doc.exe.zip
  • prod_info_43859.htm.scr.zip
  • prod_info_47532.doc.scr.zip
  • prod_info_54433.doc.exe.zip
  • prod_info_55761.rtf.exe.zip
  • prod_info_56474.txt.exe.zip
  • prod_info_56780.doc.exe.zip
  • prod_info_65642.rtf.scr.zip
  • prod_info_77256.txt.scr.zip
  • prod_info_87968.htm.scr.zip

When executed, the worm creates a mutex that keeps more than one copy of the worm from running named "AdmMoodownJKIS003". It copies itself to the Windows folder as Services.exe.

Netsky then adds the registry value "Service = (Windows folder)\services.exe -serv" to the Local Machine run key, which causes the worm to run when windows starts. It also deletes the values Taskmon and Explorer from that registry key, as well as the Current user version of that key (These values are set there by the Mydoom worm). It also deletes another Mydoom-created key. It also deletes KasperskyAV and System from the local machine run key.

It then copies itself to the Windows or WINNT folder as one of the filenames used for the attachment in a .zip file (from prod_info_55761.rtf.exe.zip to prod_info_54433.doc.exe.zip).

Netsky searches drives C through Z for folders with names containing "share" or "sharing" and copies itself as one of the following names:

  • doom2.doc.pif
  • sex sex sex sex.doc.exe
  • rfc compilation.doc.exe
  • dictionary.doc.exe
  • win longhorn.doc.exe
  • e.book.doc.exe
  • programming basics.doc.exe
  • how to hack.doc.exe
  • max payne 2.crack.exe
  • e-book.archive.doc.exe
  • virii.scr
  • nero.7.exe
  • eminem - lick my pussy.mp3.pif
  • cool screensaver.scr
  • serial.txt.exe
  • office_crack.exe
  • hardcore porn.jpg.exe
  • angels.pif
  • porno.scr
  • matrix.scr
  • photoshop 9 crack.exe
  • strippoker.exe
  • dolly_buster.jpg.pif
  • winxp_crack.exe

The worm searches for email addresses in files with the following extensions:

  • .msg
  • .oft
  • .sht
  • .dbx
  • .tbb
  • .adb
  • .doc
  • .wab
  • .asp
  • .uin
  • .rtf
  • .vbs
  • .html
  • .htm
  • .pl
  • .php
  • .txt
  • .eml

The worm has its own SMTP engine to mass-mail itself.

Variants

NetSky.B

NetSky.B (also known as Moodown.B) is a mass-mailing worm that targets computers running certain versions of Microsoft Windows. The worm sends itself to email addresses that it finds on the infected computer. The worm is activated when a user opens an email attachment that contains the worm.

NetSky.C

NetSky.C (also known as Moodown.C) is a mass-mailing worm that targets computers running certain versions of Microsoft Windows. The worm sends itself to email addresses that it finds on the infected computer. The worm is activated when a user opens an email attachment that contains the worm. It spreads itself in emails inside a ZIP archive or as an executable attachment. It also copies itself to shared folders of all available drives. This allows the worm to spread in P2P (peer-to-peer) and local networks. There may be no readily apparent indications that a computer is infected with this worm.

NetSky.D

NetSky.D is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from certain files on the system. It lacks many text strings that were present in NetSky.C and it does not copy itself to shared folders.

NetSky.E

NetSky.E (also known as Moodown.E) is a mass-mailing worm that is very close to the .C variant of the worm. NetSky.E spreads itself in emails inside a ZIP archive or as an executable attachment.

NetSky.F

NetSky.F is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives. The Subject, Body, and Attachment vary.

NetSky.G

NetSky.G is a mass-mailing worm that spreads itself in emails as an executable attachment. This worm contains another insulting message for the authors of Bagle and Mydoom worms and a proposal to meet in person in some location in the USA. The location name is encrypted. Like its previous variants NetSky.G tries to uninstall Bagle worm variants from an infected computer.

NetSky.H

NetSky.H is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives. The Subject, Body, and Attachment vary. This worm contains another, but this time less insulting message for the authors of Bagle and Mydoom. And like its previous variants, NetSky.H tries to uninstall Bagle worm variants from an infected computer.

NetSky.I

NetSky.I is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives. It sends messages with an attachment name that looks like a hyperlink to INDEX.SCR file.

NetSky.J

NetSky.J is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives. The worm's file is a PE executable file 27648 bytes long.

NetSky.K

NetSky.K is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives. The "sender" of the email is spoofed, and its subject, message body, and attachment vary. The attachment has a .pif extension. This threat is compressed with tElock.

NetSky.L

NetSky.L is a mass-mailing worm that is a stripped-down version, just containing a minimum set of features and with no comments on the ongoing virus war.

NetSky.M

NetSky.M is a mass-mailing worm that targets computers running certain versions of Microsoft Windows. The worm sends itself to e-mail addresses that it finds on the infected computer. The worm is activated when a user opens an email attachment that contains the worm.

NetSky.N

NetSky.N is a mass-mailing worm that upon execution the worm copies itself to the Windows System Directory with the filename 'VisualGuard.exe' which is added to the registry as

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] =

"NetDy" = "%SysDir%\VisualGuard.exe"

The worm is similar to its predecessors in the family. The only major difference is that a fake note claiming the message to be virus-free is added to the infected messages. The worm removes several registry values that belong to other worms.

NetSky.O

NetSky.O is a mass-mailing worm that uses four different fake antivirus scanner messages mentioning four different major antivirus companies including F-Secure.

NetSky.P

NetSky.P is a mass-mailing worm that sends itself to email addresses it gathers from certain files on the system. The worm also tries to spread itself via various file-sharing methods by copying itself into directories using enticing filenames. Netsky.P variant has the ability to infect a computer from the preview pane, similar to Nimda and it deletes registry keys that Mydoom and its variants use to infect and deliver their payloads.

NetSky.Q

NetSky.Q is a mass-mailing worm that spreads in an email using different exploits and social engineering. NetSky.Q performs a DDoS against several websites and makes the infected computers beep randomly.

NetSky.R

NetSky.R is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from certain files on the system. It's a stripped-down version of NetSky.Q with around 80% of the functionality in common with the previous variant. NetSky.R performs a DDoS against several websites.

NetSky.S

NetSky.S is a mass-mailing worm that has a limited set of features comparing to previous ones. It does not spread to local network and P2P and does not uninstall Bagle worm. The worm has a backdoor that listens on port 6789. The worm's file is a PE executable 18432 bytes long packed with PE-Patch and UPX file compressors. Some of the worm's text strings are encrypted.

NetSky.T

NetSky.T is a mass-mailing worm that targets computers running certain versions of Microsoft Windows. The worm sends itself to e-mail addresses that it finds on the infected computer. The worm is activated when a user opens the attachment that contains the worm. The worm also contains a backdoor and performs a denial of service (DoS) attacks against certain websites. This worm functions in exactly the same manner as Netsky.S.

NetSky.U

NetSky.U is a mass-mailing worm that contains backdoor functionality and may perform a Denial of Service (DoS) attack against predetermined Web sites. Some of the worm's text strings are scrambled.

NetSky.V

NetSky.V is a mass-mailing worm that sends itself to the email addresses that it gathers from the files on the computer. This variant does not send an attachment with its email messages, but instead sends a link to an infected computer, attempting to download and run the worm's executable. From the line of the email is spoofed, and the Subject line and message body vary. 

The worm is packed with UPXSh!t v0.07, UPXSh!t v0.06, and UPX 1.24.

NetSky.W

NetSky.W is a mass-mailing worm where the structure bears a striking resemblance to that of NetSky.P, so only some differences among them will be listed on this description. This variant does not spread through P2P networks, as NetSky.P does.

NetSky.X

NetSky.X is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from all NON-CDROM drives on the infected system.

NetSky.Y

NetSky.Y is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses it gathers from all Non-CDROM drives on the infected system. It is similar in functionality to W32.Netsky.X@mm, differing only in the format of the mail it sends.

NetSky.Z

NetSky.Z is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from all NON-CDROM drives on the infected system.

Effects

Netsky was the most popular worm for over 2 years. The original and most if not all of its variants have a beneficial, rather than destructive payload. A British security consultant company, mi2g claimed that the worm caused between $25.6 billion and $31.3 billion in damage (this company has been widely criticized for its ridiculously high estimates and scare-mongering).

Other Facts

The fact that Netsky has been so successful at spreading is somewhat of a mystery to many anti-malware experts, because of its minimalist social engineering tactics.

Jaschan said that he was trying to develop a worm that would delete other worms, notably Mydoom and Beagle. As some variants of Netsky delete registry key values and other things that those worms use to perform their malicious activities, this is not an outrageous claim. Netsky started a "Worm War" between itself and Mydoom and Beagle. Netsky.J was to be the last version of Netsky, but other variants did follow.

Netsky and its variants were at the top of the virus/worm charts for two years. When it began spreading in Spring of 2004, it had tough competition from Beagle, with Mydoom close behind. It was finally beaten by Warezov, also known as Stratio, in October 2006.

References

Yana Liu. Symantec.com, W32.Netsky@mm

INQUIRER newsdesk. The Inquirer Net's top malware targets Vista. 2006.11.30

John Leyden. The Register, "Netsky Tops Virus Charts by a Country Mile". 2004.04.01

-. -, NetSky author signs off. 2003.03.10

-. -, "German Police Arrest Sasser Worm Suspect". 2004.05.10

David Berlind. ZDNet, Ballmer seeing last 12 months through rose-colored glasses?. 2004.10.04

Media

Email-Worm.Win32.Netsky

Email-Worm.Win32.Netsky.D

Community content is available under CC-BY-SA unless otherwise noted.