W32/Netsky-Q

Aliases
I-Worm.NetSky.r, Win32/Netsky.R, W32.Netsky.Q@mm, WORM_NETSKY.Q

Type
Win32 worm

Description
W32/Netsky-Q is a mass-mailing worm which spreads by emailing itself to addresses harvested from files on local drives.
The worm copies itself to the Windows folder as SysMonXP.exe, as well as dropping a DLL file to the Windows folder as firewalllogger.txt. The worm then sets the following registry entry so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SysMonXP

If run from a file other than SysMonXP in the Windows folder the worm will attempt to open the file TEMP.EML in Notepad in addition to its normal execution.

W32/Netsky-Q harvests email addresses from files with the following extensions:

EML, TXT, PHP, ASP, WAB, DOC, SHT, OFT, MSG, VBS, RTF, UIN, SHTM, CGI, DHTM, ADB, TBB, DBX, PL, HTM, HTML, JSP, WSH, XML, CFG, MBX, MDX, MHT, NMF, NCH, ODS, STM, XLS, PPT.

On the 30th March 2004 W32/Netsky-Q will cause infected machines to emit intermittent beeps of random pitch and duration.

http://www.sophos.com/virusinfo/analyses/w32netskyq.html

 

WORM_NETSKY.Q is a new, destructive variant of the NETSKY worm that is currently spreading in-the-wild. It propagates via email, using its own Simple Mail Transfer Protocol (SMTP) engine. This worm exploits a known vulnerability within Internet Explorer that allows email attachments to be automatically executed, while email is being read or previewed. This memory-resident worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution it drops six files in the Windows folder, and also creates a registry entry that allows it to automatically execute at every Window startup.

This worm propagates via email using its own SMTP engine, and sends email with several possible variations in Subject, Message Body, and Attachment name. The attachment has a .PIF, .SCR, or .ZIP extension name.

This worm gathers target email addresses from files with the following extensions, which it looks for in drives C to Z (except the CD-ROM drive):

ADB ASP CFG CGI DBX DHTM DOC EML HTM HTML JSP MMF MSG OFT PHP PL PPT RTF SHT SHTM TBB TXT UIN VBS WAB WSH XLS XML

It avoids sending email messages to addresses, which contain the following strings:

@antivi @avp @bitdefender @fbi @f-pro @freeav @f-secur @kaspersky @mcafee @messagel @microsof @norman @norton @pandasof @skynet @sophos @spam @symantec @viruslis abuse@ noreply@ ntivir reports@ spam@

This worm’s payload generates a beeping tone when the computer system’s time reads 5:11 a.m. on March 30, 2004. It also launches a Denial of Service (DoS) attack on five specific Web sites, between the dates of April 8–11, 2004.

To read more about the Microsoft Internet Explorer vulnerability, please visit http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx

If you would like to scan your computer for WORM_NETSKY.Q or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_NETSKY.Q is detected and cleaned by Trend Micro pattern file #846 and above.