W32/Netsky.b@MM

Internet Worm Information
Discovery Date: 02/18/2004
Origin: Unknown
Length: 22,016
Type: Internet Worm
SubType: E-mail worm

This virus spreads via email and mapped drives. It sends itself to addresses found on the victim's machine and by copying itself to folders on drives C: - Z:. The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

Netsky only infects systems running Microsoft Windows.

If you think that you may be infected with Netsky, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.


Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system) or skynet@skynet.de
Subject: (one of the following)

fake
for
hello
hi
immediately
information
it
read
something
stolen
unknown
warning
you
Body : (one of the following)

about me
anything ok?
do you? that's funny
from the chatter
greetings
here
here is the document.
here it is
here, the cheats
here, the introduction
here, the serials
i found this document about you
I have your password!
i hope it is not true!
i wait for a reply!
i'm waiting ok
information about you
is that from you?
is that true?
is that your account?
is that your name?
kill the writer of this document!
my hero
read it immediately!
read the details.
reply
see you
something about you!
something is fool
something is going wrong
something is going wrong!
stuff about you?
take it easy
that is bad
thats wrong why?
what does it mean?
yes, really?
you are a bad writer
you are bad
you earn money
you feel the same
you try to steal
your name is wrong
Attachment: (one of the following names)

aboutyou
attachment
bill
concert
creditcard
details
dinner
disco
doc
document
final
found
friend
jokes
location
mail2
mails
me
message
misc
msg
nomoney
note
object
part2
party
posting
product
ps
ranking
release
shower
story
stuff
swimmingpool
talk
textfile
topseller
website
May be followed by:

.doc
.htm
.rtf
.text
Followed by:

.com
.exe
.pif
.scr
The attachment may have a double-extension, such as .rtf.pif, and may be contained in a .ZIP file.

The mailing component harvests address from the local system. Files with the following extensions are targeted:

.adb
.asp
.dbx
.doc
.eml
.htm
.html
.msg
.oft
.php
.pl
.rtf
.sht
.tbb
.txt
.uin
.vbs
.wab
The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

System changes
When executed, a fake error message may be displayed.


The worm copies itself into %WinDir% (WINDOWS) folder using the filename SERVICES.EXE (note: A valid file exists in the WINDOWS SYSTEM directory). A registry run key is created to load the worm at system start.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "service" = C:\WINNT\services.exe -serv
Network propagation/Peer to Peer propagation
The worm copies itself to directories named share or sharing on the local system and on mapped network drives. This will result in propagation via KaZaa, Bearshare, Limewire, and other P2P application that use shared folder names containing the words share or sharing. The filenames are included in the worm and chosen randomly:

angels.pif
cool screensaver.scr
dictionary.doc.exe
dolly_buster.jpg.pif
doom2.doc.pif
e.book.doc.exe
e-book.archive.doc.exe
eminem - lick my *****.mp3.pif
hardcore porn.jpg.exe
how to hack.doc.exe
matrix.scr
max payne 2.crack.exe
nero.7.exe
office_crack.exe
photoshop 9 crack.exe
porno.scr
programming basics.doc.exe
rfc compilation.doc.exe
serial.txt.exe
sex sex sex sex.doc.exe
strippoker.exe
virii.scr
win longhorn.doc.exe
winxp_crack.exe
The worm also drops numerous ZIP files containing the worm (22,016 bytes). The compressed file frequently uses a double extension like .doc.pif, .rtf.com, .rtf.scr). The list of ZIP names is hardcoded in the virus body:

aboutyou.zip
attachment.zip
bill.zip
concert.zip
creditcard.zip
details.zip
dinner.zip
disco.zip
final.zip
found.zip
friend.zip
jokes.zip
location.zip
mail2.zip
mails.zip
me.zip
message.zip
misc.zip
msg.zip
nomoney.zip
note.zip
object.zip
part2.zip
party.zip
posting.zip
product.zip
ps.zip
ranking.zip
release.zip
shower.zip
story.zip
stuff.zip
swimmingpool.zip
talk.zip
textfile.zip
topseller.zip
website.zip
Mydoom virus removal
The virus removes the following registry values to deactivate Mydoom.a and Mydoom.b.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run Taskmon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run Taskmon
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run Explorer
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
Other registry keys removed are as follows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run KasperskyAv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run system.

Symptoms
Existence of files and registry keys as mentioned above
Unexpected network traffic

Method Of Infection
This worm spreads by EMail and by copying itself to folders on the local harddrive as well as on mapped network drivers if available. It does not scan for open shares.

http://vil.nai.com/vil/content/v_101034.htm

 

DSLReports Thread on this Worm: W32.Netsky.B@mm

 

The Netsky.B worm is a mass-mailing worm that uses its own SMTP engine to send itself to the e-mail addresses it finds when scanning hard drives and mapped drives. It searches the drives for folder names containing "share" or "sharing," and then copies itself to those folders. The virus also attempts to deactivate the MyDoom.A and MyDoom.B viruses.


The worm presents a problem for businesses and consumers, because it is capable of spreading through peer-to-peer software. It also represents an emerging and troubling trend toward blended threats, which use more than one spreading mechanism.


Cluster Bomb Attack


Netsky.B is a "cluster bomb" worm, explained Ken Dunham of security firm iDefense. "This virus can create as many as 300 copies of itself in a network once it is inside," he told NewsFactor.


Another distinguishing characteristic of Netsky, compared to other recent worms, is that it does not leave open the back door, said Jimmy Kuo a research fellow at McAfee AVERT, an arm of Network Associates (NYSE: NET - news). "The file-sharing mechanism is helping this virus spread rapidly."


As such, the virus is adding hundreds of files to each of the infected machines, and shows no signs of slowing down, Kuo told NewsFactor. He recommended that when users retrieve files they should scan them first, and/or make sure there are not multiple extensions in files received.


As of Thursday morning, Netsky.B was spreading in the wild, and Symantec (Nasdaq: SYMC - news) raised the threat level associated with it from three to four (five is the highest). "I don't think this has reached its peak yet," Dunham said.


Networks Are Vulnerable


"The sharing mechanism could have a dramatic impact on networks," said Dunham. Some 100,000 Netsky.B interceptions have been made worldwide, he noted, although the number of infected machines is lower.


Using spoofed "from" addresses, the worm employs an array of subject headings, such as "hi," "hello," "read it immediately," "something for you," or "warning," in an effort to get recipients to open the infected e-mail attachment.


The Netsky virus, also known as "Moodown," first emerged earlier this week, and initially spread rapidly in Europe. The B variant was first detected on Wednesday.


Turn Off Unused Services


As with previous worms, users should be wary of opening any e-mail attachments and are advised to upgrade their security software or get the appropriate software patches.


Also, Symantec advised that users and systems administrators should turn off and remove any unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet and a Web server. If they are removed, blended threats have fewer avenues of attack, and there are fewer services to maintain through patch updates.

Always include your source: http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.b@mm.html - Pieter

 

WORM_NETSKY.B is a memory-resident, mass-mailing worm that spreads via email and peer-to-peer file-sharing networks. It drops copies of itself in shared folders as an executable with two extension names, and is represented by a Microsoft Word icon. It runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution it drops a copy of itself as SERVICES.EXE in the Windows folder, and then creates a registry entry that allows it to automatically execute at every Windows startup.

To propagate, this worm sends copies of itself via Simple Mail Transfer Protocol (SMTP) to target email addresses that it gathers from files with the following extensions, found in drives C to Z:

ADB, ASP, DBX, DOC, EML, HTM, HTML, MSG, OFT, PHP, PL, RTF, SHT, TBB, TXT, UIN, VBS, WAB

It sends a message with the following:

From: <spoofed and selected from the harvested list of email addresses>
Subject: (any of the following)
fake
hello
hi
information
read it immediately
something for you
stolen
unknown
warning
Message Body: <any of 47 specific messages>
Attachment: <any of 40 specific attachment names>

The file attachment may have two extension names, with the first name being DOC, HTM, RTF or TXT, and the second extension name being COM, EXE, PIF, or SCR. The attachment may also arrive compressed in ZIP format.

To spread via file-sharing networks this worm drops numerous copies of itself in folders with the strings "sharing" or "shared" in their names.

If you would like to scan your computer for WORM_NETSKY.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_NETSKY.B is detected and cleaned by Trend Micro pattern file #769 and above.