Virus Characteristics
This virus spreads via email and mapped drives. It sends itself to addresses found on the victim's machine and by copying itself to folders on drives C: - Z:. The virus also attempts to deactivate the
W32/Mydoom.a@MM
and
W32/Mydoom.b@MM
viruses. McAfee product detection requires that the scanning of compressed executables option be enabled (a default option).
Netsky only infects systems running Microsoft Windows.
If you think that you may be infected with Netsky, and are unsure how to check your system, you may
download the Stinger tool
to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note:
Receiving an email alert stating that the virus came from your email address is not
an indication that you are infected as the virus often forges the from address.
|
Mail propagation
The virus may be received in an email message as follows:
From:
(forged address taken from infected system) or skynet@skynet.de
Subject:
(one of the following)
- fake
- for
- hello
- hi
- immediately
- information
- it
- read
- something
- stolen
- unknown
- warning
- you
Body
:
(one of the following)
- about me
- anything ok?
- do you? that's funny
- from the chatter
- greetings
- here
- here is the document.
- here it is
- here, the cheats
- here, the introduction
- here, the serials
- i found this document about you
- I have your password!
- i hope it is not true!
- i wait for a reply!
- i'm waiting ok
- information about you
- is that from you?
- is that true?
- is that your account?
- is that your name?
- kill the writer of this document!
- my hero
- read it immediately!
- read the details.
- reply
- see you
- something about you!
- something is fool
- something is going wrong
- something is going wrong!
- stuff about you?
- take it easy
- that is bad
- thats wrong why?
- what does it mean?
- yes, really?
- you are a bad writer
- you are bad
- you earn money
- you feel the same
- you try to steal
- your name is wrong
Attachment:
(one of the following names)
- aboutyou
- attachment
- bill
- concert
- creditcard
- details
- dinner
- disco
- doc
- document
- final
- found
- friend
- jokes
- location
- mail2
- mails
- me
- message
- misc
- msg
- nomoney
- note
- object
- part2
- party
- posting
- product
- ps
- ranking
- release
- shower
- story
- stuff
- swimmingpool
- talk
- textfile
- topseller
- website
May be followed by:
Followed by:
The attachment may have a double-extension, such as .rtf.pif, and may be contained in a .ZIP file.
The mailing component harvests address from the local system. Files with the following extensions are targeted:
- .adb
- .asp
- .dbx
- .doc
- .eml
- .htm
- .html
- .msg
- .oft
- .php
- .pl
- .rtf
- .sht
- .tbb
- .txt
- .uin
- .vbs
- .wab
The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.
System changes
When executed, a fake error message may be displayed.
The worm copies itself into %WinDir% (WINDOWS) folder using the filename SERVICES.EXE (note:
A valid file exists in the WINDOWS SYSTEM directory). A registry run key is created to load the worm at system start.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "service" = C:\WINNT\services.exe -serv
Network propagation/Peer to Peer propagation
The worm copies itself to directories named share
or sharing
on the local system and on mapped network drives. This will result in propagation via KaZaa, Bearshare, Limewire, and other P2P application that use shared folder names containing the words share or sharing. The filenames are included in the worm and chosen randomly:
- angels.pif
- cool screensaver.scr
- dictionary.doc.exe
- dolly_buster.jpg.pif
- doom2.doc.pif
- e.book.doc.exe
- e-book.archive.doc.exe
- eminem - lick my pussy.mp3.pif
- hardcore porn.jpg.exe
- how to hack.doc.exe
- matrix.scr
- max payne 2.crack.exe
- nero.7.exe
- office_crack.exe
- photoshop 9 crack.exe
- porno.scr
- programming basics.doc.exe
- rfc compilation.doc.exe
- serial.txt.exe
- sex sex sex sex.doc.exe
- strippoker.exe
- virii.scr
- win longhorn.doc.exe
- winxp_crack.exe
The worm also drops numerous ZIP files containing the worm (22,016 bytes). The compressed file frequently uses a double extension like .doc.pif, .rtf.com, .rtf.scr). The list of ZIP names is hardcoded in the virus body:
- aboutyou.zip
- attachment.zip
- bill.zip
- concert.zip
- creditcard.zip
- details.zip
- dinner.zip
- disco.zip
- final.zip
- found.zip
- friend.zip
- jokes.zip
- location.zip
- mail2.zip
- mails.zip
- me.zip
- message.zip
- misc.zip
- msg.zip
- nomoney.zip
- note.zip
- object.zip
- part2.zip
- party.zip
- posting.zip
- product.zip
- ps.zip
- ranking.zip
- release.zip
- shower.zip
- story.zip
- stuff.zip
- swimmingpool.zip
- talk.zip
- textfile.zip
- topseller.zip
- website.zip
Mydoom virus removal
The virus removes the following registry values to deactivate Mydoom.a and Mydoom.b.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run Taskmon
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run Explorer
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run Taskmon
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run Explorer
- HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
Other registry keys removed are as follows:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run KasperskyAv
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run system.