Name: I-Worm.NetSky. Category: Viruses Description: Details I-Worm.NetSky.o This worm spreads via the Internet as an attachment to infected messages. The worm itself is a Windows PE EXE file, written in Microsoft Visual C++. It is approximately 16KB in size and packed using UPX. The unpacked file is approximately 140KB in size. When launched, the worm recursively scans all disks, starting with C: for files with the following extensions: .pl .htm .html .eml .txt .php .asp .wab .doc .vbs .rtf .uin .shtm .cgi .dhtm .adb .tbb .dbx .sht .oft .msg .jsp .wsh .xml It sends copies of itself to email addresses harvested from these files. The worm creates the following files: zip1.tmp zip2.tmp zip3.tmp zip4.tmp zip5.tmp zip6.tmp, which contains a MIME encoded copy of the worm zipped.tmp - a copy of the worm in a ZIP archive It deletes the following system registry keys: [HKLM(HKCU)SOFTWAREMicrosoftWindowsCurrentVersionRun] system. msgsvr32 au.exe service DELETE ME d3dupdate.exe OLE Sentry gouday.exe rate.exe Taskmon Windows Services Host sysmon.exe srate.exe ssate.exe Installation When launching, the worm copies itself to the Windows directory as Avprotect9x.exe. It then registers the full path to this file in the system registry. [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] NetDy = <%windir%>VisualGuard.exe Infected messages Message header (compiled using one or more lines from the list below): Re: Re: Re: your my approved important here hi hello thanks! approved corrected patched improved important read it immediately Attachment name (chosen at random from the list below): document file details information letter product website application screensaver bill word document excel document data message text document_all Message body (chosen at random from the list below): Your details. Your document. I have received your document. The corrected document is attached. I have attached your document. Your document is attached to this mail. Authentication required. Requested file. See the file. Please read the important document. Please confirm the document. Your file is attached. Please read the document. Your document is attached. Please read the attached file. Please see the attached file for details. The worm contains the following text strings: <*>NetDy: Thanks to the S*k*y*N*e*t alias *N*e*t*S*k*y* crew for the sourcecode. <*>NetDy: We have rewritten *N*e*t*S*k*y. <*>NetDy: Thats a good tactic to detroy the bagle and mydoom worms. <*>NetDy: Our group will continue the war. <*>NetDy: Malware writers ',27h,'End',27h,' comes true. <*>NetDy: Our Social Engineering is the best *lol* (You have no virus symantec says!). <*>NetDy: ---------------------------------------------------------------------------- <*>NetDy: We are greeting all russia people! USA SUCKS!!! AFGHAN SUCKS 2!!! BURN, SADDAM! BURN IN HELL! AND YOU, OSAMA BIN LADEN, BURN IN THE DEVILS FIRE 2!!! SHAME ON YOU MR. BUSH!!! Signs of infection The worm opens a group of several ports. The port numbers are increased incrementally across the whole group every few seconds. This behaviour makes it possible to detect the worm using Kaspersky Anti-Hacker.