Results 1 to 1 of 1

Thread: Netsky.Q Removal Tools

  1. #1
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,941

    Netsky.Q Removal Tools

    Win32/NetSky.Q FREE CLEANER 22/03/2004

    The team over at Nod32 have released a cleaner for Netsky.Q.

    Get the Cleaner at the link below:

    http://www.nod32.uk.com/cleaner/NSQCLEAN.ZIP

    Win32/NetSky.Q Information below:

    W32/Netsky-Q
    Aliases
    I-Worm.NetSky.r, Win32/Netsky.R, W32.Netsky.Q@mm, WORM_NETSKY.Q
    Type
    Win32 worm
    Detection
    A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.

    Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

    Sophos has received several reports of this worm from the wild.
    Description
    W32/Netsky-Q is a mass-mailing worm which spreads by emailing itself to
    addresses harvested from files on local drives.

    The worm copies itself to the Windows folder as SysMonXP.exe, as well as
    dropping a DLL file to the Windows folder as firewalllogger.txt. The worm then
    sets the following registry entry so as to run itself on system startup:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SysMonXP

    The worm tries to delete the following registry entries:

    HKR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
    HKR\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
    HKR\System\CurrentControlSet\Services\WksPatch4

    The worm also attempts to delete a number of other registry entries but due to
    a bug in the code it will never succeed. Some of the deleted registry entries
    relate to the W32/Bagle family of worms.

    If run from a file other than SysMonXP in the Windows folder the worm will
    attempt open the file TEMP.EML in notepad in addition to its normal execution.

    W32/Netsky-Q harvests email addresses from files with the following extensions:

    EML, TXT, PHP, ASP, WAB, DOC, SHT, OFT, MSG, VBS,
    RTF, UIN, SHTM, CGI, DHTM, ADB, TBB, DBX, PL, HTM,
    HTML, JSP, WSH, XML, CFG, MBX, MDX, MHT, NMF, NCH,
    ODS, STM, XLS, PPT

    W32/Netsky-Q will not harvest addresses containing the following strings:

    @microsof
    @antivi
    @symantex
    @spam
    @avp
    @f-secur
    @bitdefender
    @norman
    @mcaffee
    @kaspersky
    @f-pro
    @norton
    @fbi
    abuse@
    @messagel
    @skynet
    @pandasof
    @freeav
    @sophos
    ntivir
    @viruslis
    noreply@
    spam@
    reports@

    W32/Netsky-Q will attempt to mass-mail itself to the harvested addresses on
    31st March, 5th April, 12th April, 19th April and 26th April 2004. The worm
    tries to send itself in two seperate emails to each of the addresses, one in
    plain text and the other in MIME. The subject lines, message texts and
    attachment filenames are randomly chosen from the following possibilities:

    Subject lines, followed by the harvested name in parantheses:

    Delivery Error
    Delivery Failure
    Delivery
    Mail Delivery failure
    Mail Delivery System
    Mail System
    Delivery
    Delivery Message
    Error
    Status
    Failure
    Failed
    Unknown Exception
    Delivery Failed
    Deliver Mail
    Server Error
    Delivery Bot

    Message text part 1, followed by "------------- failed message ----------"
    (this section can be repeated multiple times):

    Mail Delivery - This mail couldn't be displayed
    Mail Delivery Failure - This mail couldn't be represented
    Mail Delivery Error - This mail contains unicode characters
    Mail Transaction Failed - This mail couldn't be converted
    Mail Delivery System - This mail contains binary characters
    Mail Delivery Failure - This mail couldn't be shown
    Delivery Failure - Invalid mail specification
    Delivery Agent - Translation failed

    Message text part 2:

    The message has been sent as a binary attachment
    Partial message is available and has been sent as a binary attachment
    Received message has been attached
    Message has been sent as a binary attachment
    Translated message has been attached
    Received message has been sent as an encoded attachment
    Modified message has been sent as a binary attachment
    Note: Received message has been sent as a binary file

    Attached filename, followed by a random number and either .PIF or .ZIP
    (W32/Netsky-Q can send itself zipped or unzipped):

    message
    msg
    mail
    data

    If sent as a zipped file, the worm will have one of the following filenames
    inside the zip, followed by a large number of spaces and then a .SCR extension:

    message.eml
    msg.eml
    mail.eml
    data.eml

    In the MIME email W32/Netsky-Q can attempt to use an IFRAME exploit in order to
    execute the attachment even if the receiver chooses not to execute it.

    W32/Netsky-Q drops itself to the following files in the Windows folder with
    in a Base64 encoded form, ready to mass-mail itself:

    base64.tmp
    zippedbase64.tmp
    zipo0.txt
    zipo1.txt
    zipo2.txt
    zipo3.txt

    W32/Netsky-Q will attempt to launch a Denial Of Service attack on the following
    websites between the 8th and 11th March 2004:

    www.cracks.st
    www.cracks.am
    www.emule-project.net
    www.kazaa.com
    www.edonkey2000.com

    All day on the 30th March 2004 W32/Netsky-Q will cause infected machines to
    emit intermit beeps of random pitch and duration.

    W32/Netsky-Q contains the following encrypted message:

    "We are the only SkyNet, we don't have any criminal inspirations. Due to many
    reports, we do not have any backdoors included for spam relaying. and we aren't
    children. Due to this, many reports are wrong. We don't use any virus creation
    toolkits, only the higher language Microsoft Visual C++ 6.0. We want to prevent
    hacking, sharing with illegal stuff and similar illegal content. Hey, big firms
    only want to make a lot of money. That is what we don't prefer. We want to
    solve and avoid it. Note: Users do not need a new av-upgrade, they need a
    better education! We will envelope... - Best regeards, the SkyNet Antivirus
    Team, Russia 05:11 P.M"

    View the NOD32 website:
    http://www.nod32.uk.com/home.htm
    Last edited by Big Booger; March 30th, 2004 at 08:50 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •