Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

Netsky.T


Netsky.T is an internet worm spreading via e-mail. It is 18432 bytes in size, compressed by UPX.

Note: In the following text, %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

Upon execution the worm copies itself into the Windows folder as “EasyAV.exe”.
It also creates there a file “uinmzertinmds.opm”, which is 25260 bytes, and represents a MIME encoded version of the worm that the worm attaches to its emails.

The worm adds the following registry key to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
“EasyAV” = “%WINDOWS%\EasyAV.exe”

The worm has several encrypted strings inside

ooo.gnrxnm.cz ---> www.keygen.us
ooo.vpnnachn.mni ---> www.freemule.de
ooo.gkjkk.uwa ---> www.kazaa.com
ooo.nachn.qn ---> www.emule.de
ooo.upkugz.ka ---> www.cracks.am

and attempts a DoS attack against these web servers if the current date is between April 14 th and April 23 rd of the year 2004.
It creates 5 threads, which are sending data to port 80 of the targeted web servers.

The worm opens a backdoor on port 6789 and is listening on this port for incoming executable files which will be executed directly after receiving them.
This allows the worm to update files and install more malicious files on the compromised system.

The worm scans all fixed disks and collects email addresses out of files which match one of the following file extensions:

*.eml, *.txt, *.php, *.asp, *.wab, *.doc, *.sht, *.oft, *.msg, *.vbs, *.rtf, *.uin, *.shtm,
*.cgi, *.dhtm,*.adb, *.tbb, *.dbx, *.pl, *.htm, *.html, *.jsp, *.wsh, *.xml, *.cfg,
*.mbx, *.mdx, *.mht, *.mmf, *.nch, *.ods, *.stm, *.xls, *.ppt

Note: The file extensions are also stored encrypted in the worm. They are encrypted with the same algorithm as the URL strings.

Netsky.T starts, out of its own process, a 2 nd process of the same executable, which watches activities of processes and registry changes. That said, if one of the Netsky processes is terminated, the remaining process would restart the terminated process as a new child process. The worm replaces deleted registry entries of its autostart as long as it is still active in memory. This makes a manual removal of this worm more difficult.

The worm creates, for the 1 st process, a mutex “SyncMutex_USUkUyUnUeUtU” and for the 2 nd process, a mutex “Protect_USUkUyUnUeUtU_Mutex” to avoid double loading per process instance.
The worm makes sure that only 2 processes are running. (The main process and the guard process)

DNS Resolving

Netsky.T sends its DNS Queries/Requests to the following servers:

"212.185.252.73"
"212.185.253.70"
"212.185.252.136"
"194.25.2.129"
"194.25.2.130"
"195.20.224.234"
"217.5.97.137"
"194.25.2.129"
"193.193.144.12"
"212.7.128.162"
"212.7.128.165"
"193.193.158.10"
"194.25.2.131"
"194.25.2.132"
"194.25.2.133"
"194.25.2.134"
"193.141.40.42"
"145.253.2.171"
"193.189.244.205"
"213.191.74.19"
"151.189.13.35"
"195.185.185.195"
"195.185.185.195"
"212.44.160.8"

Email Subjects

Email Subjects are randomly picked out of:

Hello!
Hi!
Re: Important
Important
Re: My details
My details
Re: Your information
Your information
Re: Your details
Your details
Re: Your document
Your document
Re: Request
Request
Re: Thanks you!
Thank you!
Re: Approved
Approved
Re: Hello
Re: Hi
Hello

The rest of the email subjects are encrypted and stored:

Approved file
List
Corrected document
Archive
Abuse list
Presentation document
Instructions
Details
Improved document
Note
Message
Contact list
Number list
File
Secound document
Improved file
User list
Textfile
New document
Text
Information
Info
Word document
Excel document
Powerpoint document
Detailed document
Homepage
Letter
Mail
Document
Old document
Approved document
Movie document
Picture document
Summary
Description
Requested document
Notice
Bill
Answer
Release
Final version
Diggest
Important document
Order
Photo document
Personal message
Phone number
E-mail
Icq number
Report
Story
Concept
Developement
Sample
Postcard
Account

Email Message Body

The 1 st part of the message body can contain

Hi!
Hello!
(nothing)

The 2 nd part

Note that I have attached your document.
My {attachment-name}.
The {attachment-name}.
I have spent much time for the {attachment-name}.
I have spent much time for your document.
Your {attachment-name}.
Please notice the attached {attachment-name}.
Please notice the attached document.
Please read quickly.
For more details see the attached document.
For more information see the attached document.
Approved, here is the document.
I have found the {attachment-name}.
My {attachment-name} is attached.
Your {attachment-name} is attached.
Please, {attachment-name}.
Your file is attached to this mail.
Please read the attached document.
Please have a look at the attached document.
See the document for details.
Here is the document.
The requested {attachment-name} is attached!
I have sent the {attachment-name}.
Please see the {attachment-name}.
The {attachment-name} is attached.
Here is the {attachment-name}.
Please have a look at the {attachment-name}.
Please read the {attachment-name}.

3 rd part is randomly chosen from:

Thanks
Thank you
Yours sincerely
(nothing)

Attachments

attachment names are randomly generated out of the following list:

account
postcard
sample
developement
concept
story
report
icq_number
e-mail
phone_number
personal_message
photo_document
order
important_document
diggest
final_version
release
answer
bill
notice
requested_document
description
summary
picture_document
movie_document
approved_document
old_document
document
mail
letter
homepage
detailed_document
powerpoint_document
excel_document
word_document
info
information
text
new_document
textfile
user_list
improved_file
secound_document
file
number_list
contact_list
message
note
improved_document
details
instructions
presentation_document
abuse_list
archive
corrected_document
list
approved_fil

and a random number between 0 and 9 before the suffix .PIF follows. Example: list5.pif

Note: The worm sends itself with fake sender addresses. It uses its own SMTP engine between 13 th and 17 th April 2004.



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page