Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

Win32/Netsky.R


Win32/Netsky.R is an internet worm spreading via e-mail messages. Size of the file in e-mail attachment is 28008 bytes.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%

Subject of the message sent by the worm can be one of the following:

Delivery Bot
Server Error
Deliver Mail
Delivery Failed
Unknown Exception
Failed
Failure
Status
Error
Delivered Message
Mail System
Mail Delivery System
Mail Delivery failure
Delivery
Delivery Failure
Delivery Error

Some of the sentences below can be contained in the body of the message:

Note: Received message has been sent as a binary file.
Modified message has been sent as a binary attachment.
Received message has been sent as an encoded attachment.
Translated message has been attached.
Message has been sent as a binary attachment.
Received message has been attached.
Partial message is available and has been sent as a binary attachment.
The message has been sent as a binary attachment.
Delivery Agent - Translation failed
Delivery Failure - Invalid mail specification
Mail Delivery Failure - This mail couldn't be shown.
Mail Delivery System - This mail contains binary characters
Mail Transaction Failed - This mail couldn't be converted
Mail Delivery Error - This mail contains unicode characters
Mail Delivery Failed - This mail couldn't be represented
Mail Delivery - This mail couldn't be displayed

Name of the attached file is one of the following:

data
mail
message
msg

The attachment is either an executable file or a ZIP archive. If it is an executable, its extension is ".pif", a ZIP has an extension ".zip". The file contained in the archive can have one of the four possible names:

data.eml .scr
mail.eml .scr
msg.eml .scr
message.eml .scr

The executable containing the worm is 28008 bytes in size. When the worm is executed for the first time, a Notepad is opened. The worm is then copied in the %windir% folder using a name "SysMonXP.exe". Another file called "firewalllogger.txt" that has a size of 23040 bytes is created. The file is a DLL library and it is executed by the worm. Then a mutex called '(S)(k)(y)(N)(e)(t)' is created in order to ensure, that only one instance of the worm is active.

A few more files are created in the %windir% folder. These are used to compose the e-mail messages. These files are called: zipo0.txt, zipo1.txt, zipo2.txt, zipo3.txt, zippedbase64.tmp and base64.tmp.

In order to be executed every time the Windows starts, an entry called "SysMonXP" is created in the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

The entry contains path to the executable file of the worm.

Several entries are deleted from the Registry. This way the worm is able to deactivate several older worms, if present on the system.

Win32/Netsky.R searches for e-mail addresses for further spreading in files on local drives having some of the extensions below:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml

Addresses containg some of the following substrings are avoided:

@antivi
@avp
@bitdefender
@f-pro
@f-secur
@fbi
@freeav
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@skynet
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam@

Between April 8th and 11th, a DoS attack against the following servers is launched:

www.edonkey2000.com
www.kazaa.com
www.emule-project.net
www.cracks.am
www.cracks.st

On the April 30th, the worms causes the system to beep.

The text below is contained in the body of the worm:

We are the only SkyNet, we don't have any criminal inspirations.
Due to many reports, we do not have any backdoors included for spam relaying.
and we aren't children. Due to this, many reports are wrong.
We don't use any virus creation toolkits, only the higher language
Microsoft Visual C++ 6.0. We want to prevent hacker,
cracking, sharing with illegal stuff and similar illegal content.
Hey, big firms only want to make a lot of money.
That is what we don't prefer. We want to solve and avoid it.
Note: Users do not need a new av-update, they need
a better education! We will envolope...

- Best regards, the SkyNet Antivirus Team, Russia 05:11 P.M -

Detection of Win32/NetSky.R using a sample is available since version 1.697.



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page