F-Secure Virus Descriptions : NetSky.F
[Summary] | [Disinfection] | [Detailed Description] | [Detection]
| NAME: | NetSky.F |
| ALIAS: | W32/NetSky.F@mm, I-Worm.NetSky.f, W32.Netsky.F@mm |
| SIZE: | 18432 |
NetSky.F worm variant was found on 3rd of March 2004. This
variant spreads itself in e-mails as an executable attachment.
The following text string is present in the worm's body:
Skynet AntiVirus - Bagle - you are a looser!!!!
This indicates an on-going competition/war among virus writers of
the currently widespread malware: Bagle and NetSky. This NetSky
worm variant tries to remove Bagle worm infection if it finds it
on an infected computer.
F-Secure provides the special disinfection utility to eliminate
Netsky.F worm infection. You can download this utility from our
ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip
Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt
System administrators who are using F-Secure Policy Manager,
can distribute the tool as a JAR package automatically to all
workstations.
System administrators can download the JAR version from:
http://www.europe.f-secure.com/tools/f-netsky.jar
ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar
Descriptions of all previous NetSky variants can be found here:
W32/NetSky.A@mm:
http://www.f-secure.com/v-descs/moodown.shtml
W32/NetSky.B@mm:
http://www.f-secure.com/v-descs/netsky_b.shtml
W32/NetSky.C@mm:
http://www.f-secure.com/v-descs/netsky_c.shtml
W32/NetSky.D@mm:
http://www.f-secure.com/v-descs/netsky_d.shtml
W32/NetSky.E@mm:
http://www.f-secure.com/v-descs/netsky_e.shtml
The worm's file is a PE executable file 18432 bytes long, packed
with PE-Pack file compressor. The unpacked file's size is over 28
kilobytes.
On March 2nd, 2004 the worm constantly beeps with PC speaker from
6:00 to 8:59. Below is the link to the WAV file with the sound
that the worm makes:
http://www.f-secure.com/virus-info/v-pics/netsky_d.wav
NetSky.F worm doesn't copy its files to shared folders.
Installation to system
When run, the worm installs itself to system. It copies its file
to Windows folder as SVCHOST.EXE and creates a startup key for
this file in System Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client Ex" = "%windir%\svchost.exe -antivirus service"
where %windir% represents Windows directory.
The worm creates a mutex named "LK[SkyNet.cz]SystemsMutex" to
avoid running more than one instance of itself.
Spreading in e-mails
NetSky.F worm has its own SMTP engine that it uses to send emails
with infected attachments to all found e-mail addresses. The worm
uses different subjects, message body texts and attachment names
in its e-mails.
The worm scans all available drives except CD-ROM drives for
e-mails. It searches for e-mail addresses in files with the
following extensions:
.dhtm
.cgi
.shtm
.msg
.oft
.sht
.dbx
.tbb
.adb
.doc
.wab
.asp
.uin
.rtf
.vbs
.html
.htm
.php
.txt
.eml
The subject for infected messages is selected from the following
list:
Re: Your website
Re: Your product
Re: Your letter
Re: Your archive
Re: Your text
Re: Your bill
Re: Your details
Re: My details
Re: Word file
Re: Excel file
Re: Details
Re: Approved
Re: Your software
Re: Your music
Re: Here
Re: Re: Re: Your document
Re: Hello
Re: Hi
Re: Re: Message
Re: Your picture
Re: Here is the document
Re: Your document
Re: Thanks!
Re: Re: Thanks!
Re: Re: Document
Re: Document
The message body text for infected messages is selected from the
following list:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
The attachment name for infected messages is selected from the
following list:
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_text.pif
your_bill.pif
your_details.pif
document_word.pif
document_excel.pif
my_details.pif
all_document.pif
application.pif
mp3music.pif
yours.pif
document_4351.pif
your_file.pif
message_details.pif
your_picture.pif
document_full.pif
message_part2.pif
document.pif
your_document.pif
The worm avoids sending e-mails to e-mail addresses that contain
any of the following substrings:
icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
andasoftwa
freeav
sophos
antivir
iruslis
Deleting Registry keys and disinfecting Bagle worm
The NetSky.F worm variant of the worm deletes the following
Registry keys:
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]
[HKLM\System\CurrentControlSet\Services\WksPatch]
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
system.
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KasperskyAv
Explorer
Taskmon
system.
msgsvr32
DELETE ME
service
Sentry
Windows Services Host
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KasperskyAv
Explorer
OLE
Windows Services Host
d3dupdate.exe
au.exe
sysmon.exe
rate.exe
gouday.exe
NetSky.F worm removes Registry keys of several Bagle worm
variants if it finds them on an infected computer. The last 5
keys listed above belong to earlier Bagle variants.
Detection of Netsky.F worm is available in the following FSAV
updates:
[FSAV_Database_Version]
Version=2004-03-03_03
Technical Details:
Ero Carrera and Alexey Podrezov, March 3rd, 2004;
Description Updated:
Alexey Podrezov, March 18th, 2004;
F-Secure Corporation
|
