W32/Netsky-Q
Aliases
I-Worm.NetSky.r, Win32/Netsky.R, W32.Netsky.Q@mm, WORM_NETSKY.Q
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
Sophos has received several reports of this worm from the wild.
Description
W32/Netsky-Q is a mass-mailing worm which spreads by emailing itself to
addresses harvested from files on local drives.
The worm copies itself to the Windows folder as SysMonXP.exe, as well as
dropping a DLL file to the Windows folder as firewalllogger.txt. The worm then
sets the following registry entry so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SysMonXP
The worm tries to delete the following registry entries:
HKR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKR\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKR\System\CurrentControlSet\Services\WksPatch4
The worm also attempts to delete a number of other registry entries but due to
a bug in the code it will never succeed. Some of the deleted registry entries
relate to the W32/Bagle family of worms.
If run from a file other than SysMonXP in the Windows folder the worm will
attempt open the file TEMP.EML in notepad in addition to its normal execution.
W32/Netsky-Q harvests email addresses from files with the following extensions:
EML, TXT, PHP, ASP, WAB, DOC, SHT, OFT, MSG, VBS,
RTF, UIN, SHTM, CGI, DHTM, ADB, TBB, DBX, PL, HTM,
HTML, JSP, WSH, XML, CFG, MBX, MDX, MHT, NMF, NCH,
ODS, STM, XLS, PPT
W32/Netsky-Q will not harvest addresses containing the following strings:
@microsof
@antivi
@symantex
@spam
@avp
@f-secur
@bitdefender
@norman
@mcaffee
@kaspersky
@f-pro
@norton
@fbi
abuse@
@messagel
@skynet
@pandasof
@freeav
@sophos
ntivir
@viruslis
noreply@
spam@
reports@
W32/Netsky-Q will attempt to mass-mail itself to the harvested addresses on
31st March, 5th April, 12th April, 19th April and 26th April 2004. The worm
tries to send itself in two seperate emails to each of the addresses, one in
plain text and the other in MIME. The subject lines, message texts and
attachment filenames are randomly chosen from the following possibilities:
Subject lines, followed by the harvested name in parantheses:
Delivery Error
Delivery Failure
Delivery
Mail Delivery failure
Mail Delivery System
Mail System
Delivery
Delivery Message
Error
Status
Failure
Failed
Unknown Exception
Delivery Failed
Deliver Mail
Server Error
Delivery Bot
Message text part 1, followed by "------------- failed message ----------"
(this section can be repeated multiple times):
Mail Delivery - This mail couldn't be displayed
Mail Delivery Failure - This mail couldn't be represented
Mail Delivery Error - This mail contains unicode characters
Mail Transaction Failed - This mail couldn't be converted
Mail Delivery System - This mail contains binary characters
Mail Delivery Failure - This mail couldn't be shown
Delivery Failure - Invalid mail specification
Delivery Agent - Translation failed
Message text part 2:
The message has been sent as a binary attachment
Partial message is available and has been sent as a binary attachment
Received message has been attached
Message has been sent as a binary attachment
Translated message has been attached
Received message has been sent as an encoded attachment
Modified message has been sent as a binary attachment
Note: Received message has been sent as a binary file
Attached filename, followed by a random number and either .PIF or .ZIP
(W32/Netsky-Q can send itself zipped or unzipped):
message
msg
mail
data
If sent as a zipped file, the worm will have one of the following filenames
inside the zip, followed by a large number of spaces and then a .SCR extension:
message.eml
msg.eml
mail.eml
data.eml
In the MIME email W32/Netsky-Q can attempt to use an IFRAME exploit in order to
execute the attachment even if the receiver chooses not to execute it.
W32/Netsky-Q drops itself to the following files in the Windows folder with
in a Base64 encoded form, ready to mass-mail itself:
base64.tmp
zippedbase64.tmp
zipo0.txt
zipo1.txt
zipo2.txt
zipo3.txt
W32/Netsky-Q will attempt to launch a Denial Of Service attack on the following
websites between the 8th and 11th March 2004:
www.cracks.st
www.cracks.am
www.emule-project.net
www.kazaa.com
www.edonkey2000.com
All day on the 30th March 2004 W32/Netsky-Q will cause infected machines to
emit intermit beeps of random pitch and duration.
W32/Netsky-Q contains the following encrypted message:
"We are the only SkyNet, we don't have any criminal inspirations. Due to many
reports, we do not have any backdoors included for spam relaying. and we aren't
children. Due to this, many reports are wrong. We don't use any virus creation
toolkits, only the higher language Microsoft Visual C++ 6.0. We want to prevent
hacking, sharing with illegal stuff and similar illegal content. Hey, big firms
only want to make a lot of money. That is what we don't prefer. We want to
solve and avoid it. Note: Users do not need a new av-upgrade, they need a
better education! We will envelope... - Best regeards, the SkyNet Antivirus
Team, Russia 05:11 P.M"
Bookmarks