Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

Win32/NetSky.B


Win32/NetSky.B is a worm spreading in a form of an e-mail attachment and via shared files in LAN networks or in P2P networks. It is compressed using the UPX utility. When compressed its size is 22106 B. After its decompression its size increases to 41984 B.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The NetSky.B creates a mutex named “ AdmSkynetJklS003 ”, using which it makes sure that only one copy of it is running on the infected computer. If the worm is run without any parameters the worm displays an error window with a message: “ The file could not be opened! ”. The worm copies itself into the %windir% directory using the following name: services.exe. The worm adds the following entry into the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key: service

The key contains the following value: %windir%\services.exe –serv

Due to using the parameter –serv the error message will not be displayed the next time the worm will be run (after each restart of the computer).

The worm removes the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system

The worm searches all the local disk drives, except CD-ROM drives, for directories with names containing strings share or sharing. Whenever the worm finds those directories it copies itself into them using all the following names:

winxp_crack.exe
dolly_buster.jpg.pif
strippoker.exe
photoshop 9 crack.exe
matrix.scr
porno.scr
angels.pif
hardcore porn.jpg.exe
office_crack.exe
serial.txt.exe
cool screensaver.scr
eminem - lick my pussy.mp3.pif
nero.7.exe
virii.scr
e-book.archive.doc.exe
max payne 2.crack.exe
how to hack.doc.exe
programming basics.doc.exe
e.book.doc.exe
win longhorn.doc.exe
dictionary.doc.exe
rfc compilation.doc.exe
sex sex sex sex.doc.exe
doom2.doc.pif

NetSky.B is able to spread via P2P networks using this mechanism. The worm harvest e-mail addresses for its spreading from files found on the infected computer of the following extensions:

.eml
.txt
.php
.pl
.htm
.html
.vbs
.rtf
.uin
.asp
.wab
.doc
.adb
.tbb
.dbx
.sht
.oft
.msg

When spreading via e-mail the worm uses one of the following words for the Subject line:

hi
hello
read it immediately
something for you
warning
information
stolen
fake
unknown

The body of the message sends by the worm contains one of the following words:

anything ok?
what does it mean?
ok
i'm waiting
read the details.
here is the document.
read it immediately!
my hero
here
is that true?
is that your name?
is that your account?
i wait for a reply!
is that from you?
you are a bad writer
I have your password!
something about you!
kill the writer of this document!
i hope it is not true!
your name is wrong
i found this document about you
yes, really?
that is bad
here it is
see you
greetings
stuff about you?
something is going wrong!
information about you
about me
from the chatter
here, the serials
here, the introduction
here, the cheats
that's funny
do you?
reply
take it easy
why?
thats wrong
misc
you earn money
you feel the same
you try to steal
you are bad
something is going wrong
something is fool

The file attached to the e-mail has two extensions. The first one is one of the following extensions: .txt , .doc , .rtf and the second extension is one of the following extensions: .exe , .scr , .com or .pif .
Some of the messages sent by the worm contain a ZIP file containing the actual worm.

The detection of Win32/NetSky.B using sample is added since version 1.627 .



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page