WORM_NETSKY.C

WORM_NETSKY.C is a new variant of the NETSKY worm. It is a memory-resident worm that propagates via email using its own SMTP (Simple Mail Transfer Protocol) engine, and via shared folders by dropping copies of itself in various folders with the string "shar" in their names located under the Windows directory. If the current computer system date is February 26, 2004 and the time is between 6am and 9am, the worm's payload causes the computer to generate beeping sounds. This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this malware creates a mutex that checks for its existence on the system. It then creates several threads that are responsible for mass-mailing, finding email addresses, and executing its payload. This malware also drops a copy of itself in the Windows folder using the file name WINLOGON.EXE.

The malware creates a registry entry that allows it to automatically execute at every system startup. It also deletes 6 registry entries that are added by variants of WORM_MYDOOM.

This worm uses its own SMTP engine to propagate. It sends email using a spoofed "From:" address, any of several specific "Subject:" lines, any of several specific "Message Body:" contents, and any of several specific "Attachment:" names. The attachment, which occasionally arrives zipped, may have the extension name .pif, .com, .scr, or .exe. It may also have double extension names where the first extension name of the attached file is .txt, .rtf, .doc, or .htm. In random instances it generates email attachments with blank spaces in order to hide the second extension of the attachment.

It gathers target email addresses by searching all fixed drives (non-CDROM) for files with the following extensions:

• DHTM
• CGI
• SHTM
• MSG
• OFT
• SHT
• DBX
• TBB
• ADB
• DOC
• WAB
• ASP
• UIN
• RTF
• VBS
• HTML
• HTM
• PL
• PHP
• TXT
• EML

As it scans each of the above-mentioned files, the worm skips email addresses that contain the following text strings, in order to evade detection of security software associated with these strings:

• "abuse"
• "antivi"
• "aspersky"
• "avp"
• "cafee"
• "fbi"
• "f-pro"
• "f-secur"
• "icrosoft"
• "itdefender"
• "orman"
• "orton"
• "spam"
• "ymantec"

The malware searches for mail exchangers that match its preferences on each of the DNS servers, and uses them as SMTP servers.

If you would like to scan your computer for WORM_NETSKY.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_NETSKY.C is detected and cleaned by Trend Micro pattern file #781 and above.