Info:  Main    About    Contact    Sitemap

Mini-sites: Viruses        Cookies        Firewalls        Popups        Privacy        Safety       Spam       Spyware
   

Home

Store

How to Protect Yourself from Viruses

Antivirus Reviews

Antivirus FAQs

Antivirus Checklist

Antivirus Top 10 Tips

Antivirus Tutorial

Kazaa the Virus Desktop

Worms vs. Viruses

Virus Glossary

 

Today's Alerts

Antivirus Testing

Virus Scan

Security Directory

Virus Threats

Virus Removal Tools

Virus Hoaxes

Antivirus Links

Newsletter

 

 
 

W32.Netsky.C@mm

Note: Norton Antivirus 2003 can remove this virus automatically.  You can also download a Netsky.C removal tool.

W32.Netsky.C is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives. This worm also searches drives C through Y for the folder names containing "Shar" and then copies itself to those folders.

The Subject, Body, and email attachment vary.

Notes:
  • Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
  • Rapid Release virus definitions, version 2/24/04 rev 32 (60224af or 20040224.032) and greater, detect this threat.
  • Symantec Security Response has developed a removal tool to clean the infections of W32.Netsky.C@mm.
Also Known As: W32/Netsky.c@MM [McAfee], Win32.Netsky.C [Computer Associates], W32/Netsky-C [Sophos], WORM_NETSKY.C [Trend], I-Worm.Moodown.c [Kaspersky]
Type: Worm
Infection Length: 25,352 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

THREAT ASSESSMENT

Wild:

  • Number of infections: More than 1000
  • Number of sites: More than 10
  • Geographical distribution: Low
  • Threat containment: Easy
  • Removal: Moderate

Damage

  • Payload Trigger: n/a
  • Payload: n/a
    • Large scale e-mailing: Sends itself to email addresses found in files whose suffix contains one of the following extensions: .adb, .asp, .cgi, .dbx, .dhtm, .doc, .eml, .htm, .html, .msg, .oft, .php, .pl, .rtf, .sht, .shtm, .tbb, .txt, .uin, .vbs, and .wab
    • Deletes files: n/a
    • Modifies files: n/a
    • Degrades performance: n/a
    • Causes system instability: n/a
    • Releases confidential info: n/a
    • Compromises security settings: n/a

Distribution

  • Subject of email: varies
  • Name of attachment: varies with .com, .exe, .pif, or .scr file extension
  • Size of attachment: 25,352 bytes
  • Time stamp of attachment: n/a
  • Ports: n/a
  • Shared drives: Searches drives C through Y for folder names containing "Shar" and then copies itself to those folders.
  • Target of infection: n/a


TECHNICAL DETAILS

When W32.Netsky.C@mm runs, it does the following:

  1. Creates a mutex named "[SkyNet.cz]SystemsMutex." This mutex allows only one instance of the worm to execute.
  2. Copies itself as %Windir%\Winlogon.exe.
    Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  3. Adds the value:

    "ICQ Net" = "%Windir%\winlogon.exe -stealth"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.
  4. Deletes the values:
    • Taskmon
    • Explorer
    • Windows Services Host
    • KasperskyAV

      from the registry keys:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      Notes:
    • Some of these registry key values are typically associated with the worms W32.Mydoom.A@mm and W32.Mydoom.B@mm.
    • The W32.Mimail.T@mm worm may add the registry key value "KasperskyAV."

     

  5. Deletes the values:
    • System.
    • msgsvr32
    • DELETE ME
    • service
    • Sentry

      from the registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  6. Deletes the values:
    • d3dupdate.exe
    • au.exe
    • OLE

      from the registry key:

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  7. Deletes the value:

    System.

    from the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices
  8. Deletes the registry keys:
    • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\
      InProcServer32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Explorer\PINF
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch
      Note: The worms W32.Mydoom.A@mm and W32.Mydoom.B@mm add a value to the first key, so that explorer.exe loads their backdoor components.


  9. Retrieves email addresses from the files on the computer whose suffix contains one of the following extensions:
    • .eml
    • .txt
    • .php
    • .pl
    • .htm
    • .html
    • .vbs
    • .rtf
    • .uin
    • .asp
    • .wab
    • .doc
    • .adb
    • .tbb
    • .dbx
    • .sht
    • .oft
    • .msg
    • .shtm
    • .cgi
    • .dhtm
      Note: Due to a bug in the code, the worm will search a file for email addresses if the extension is a sub-string of one of the aforementioned extensions.

      For example, the worm will scan the files with the .txt, .tx, and .t extensions.



  10. Searches drives C through Y for the folder names containing the words "Shar." If the drive is not a CD-ROM, then the worm will copy itself to the matching folders, and all the subfolders below it, as the following:
    • Microsoft WinXP Crack.exe
    • Teen Porn 16.jpg.pif
    • Adobe Premiere 9.exe
    • Adobe Photoshop 9 full.exe
    • Best Matrix Screensaver.scr
    • Porno Screensaver.scr
    • Dark Angels.pif
    • XXX hardcore pic.jpg.exe
    • Microsoft Office 2003 Crack.exe
    • Serials.txt.exe
    • Screensaver.scr
    • Full album.mp3.pif
    • Ahead Nero 7.exe
    • Virii Sourcecode.scr
    • E-Book Archive.rtf.exe
    • Doom 3 Beta.exe
    • How to hack.doc.exe
    • Learn Programming.doc.exe
    • WinXP eBook.doc.exe
    • Win Longhorn Beta.exe
    • Dictionary English - France.doc.exe
    • RFC Basics Full Edition.doc.exe
    • 1000 Sex and more.rtf.exe
    • 3D Studio Max 3dsmax.exe
    • Keygen 4 all appz.exe
    • Windows Sourcecode.doc.exe
    • Norton Antivirus 2004.exe
    • Gimp 1.5 Full with Key.exe
    • Partitionsmagic 9.0.exe
    • Star Office 8.exe
    • Magix Video Deluxe 4.exe
    • Clone DVD 5.exe
    • MS Service Pack 5.exe
    • ACDSee 9.exe
    • Visual Studio Net Crack.exe
    • Cracks & Warez Archive.exe
    • WinAmp 12 full.exe
    • DivX 7.0 final.exe
    • Opera.exe
    • IE58.1 full setup.exe
    • Smashing the stack.rtf.exe
    • Ulead Keygen.exe
    • Lightwave SE Update.exe
    • The Sims 3 crack.exe
      Note: This could allow for copies of W32.Netsky.C@mm to spread through file-sharing networks, Instant Messaging clients, Windows shared folders, or any programs that use shared folders containing "Shar."

  11. Uses its own SMTP engine to send itself to the email addresses it found above, sending to each address once. The worm uses the local DNS server (retrieved via an API), if available, to perform an MX lookup for the recipient address. If the local DNS fails, it will perform the lookup from the following list of hard-coded servers:
    • 145.253.2.171
    • 151.189.13.35
    • 193.141.40.42
    • 193.189.244.205
    • 193.193.144.12
    • 193.193.158.10
    • 194.25.2.129
    • 194.25.2.129
    • 194.25.2.130
    • 194.25.2.131
    • 194.25.2.132
    • 194.25.2.133
    • 194.25.2.134
    • 195.185.185.195
    • 195.20.224.234
    • 212.185.252.136
    • 212.185.252.73
    • 212.185.253.70
    • 212.44.160.8
    • 212.7.128.162
    • 212.7.128.165
    • 213.191.74.19
    • 217.5.97.137
    • 62.155.255.16
  12. The email has the following characteristics:

    From: (Spoofed)
    Note: This email address could be one of the addresses retrieved by the worm, as indicated in step 9.


    Subject: (67% of the time, it will be taken from the following list. The rest of the time, the Subject may be taken from the list of the Message bodies below. The Subject can also be a blank line.)

    • Delivery Failed
    • Status
    • report
    • question
    • trust me
    • hey
    • Re: excuse me
    • read it immediatelly
    • hi
    • Re: does it?
    • Yep
    • important
    • hello
    • dear
    • Re: unknown
    • fake?
    • warning
    • moin
    • what's up?
    • info
    • Re: information
    • Here is it
    • stolen
    • private?
    • good morning
    • illegal...
    • error
    • take it
    • re:
    • Re: Re: Re: Re:
    • you?
    • something for you
    • exception
    • Re: hey
    • excuse me
    • Re: hi
    • Re: does it?
    • Re: important
    • Re: hello
    • believe me
    • Question
    • denied!
    • notification
    • Re: <5664ddff?$??º2>
    • lol
    • last chance!
    • I'm back!
    • its me
    • notice!


      Message: (One of the following, but could be blank)
    • <Deliver Error>
    • <Message Error>
    • <Server Error>
    • what means that?
    • help attached
    • <...>
    • ok...
    • <Attachment from Poland>
    • that is interesting...
    • i wait for your comment about it.
    • such as yours?
    • read the details.
    • gonna?
    • here is the document.
    • *lol*
    • read it immediately!
    • i found that about you!
    • your hero in the picture?
    • yours?
    • here is it.
    • illegal st. of you?
    • is that true?
    • account?
    • is that your name?
    • picture?
    • message?
    • is that your account?
    • pwd?
    • I wait for an answer!
    • abuse?
    • is that yours?
    • you are a bad writer
    • I don't know your document!
    • <Mail failed>
    • I have your password!
    • you won the rk!
    • something about you!
    • classroom test of you?
    • kill the writer of this document!
    • old photos about you?
    • i hope thats not true!
    • your name is wrong!
    • does it match?
    • i found this document about you.
    • time to fear?
    • really?
    • do you know this????
    • i know your document!
    • did you sent it to me?
    • this file is bad!
    • why should I?
    • pages?
    • her.
    • another pic, have fun! ... :->
    • test it
    • child porn?
    • greetings
    • xxx ?
    • stuff about you?
    • your document is not good
    • something is going wrong!
    • your photo is poor
    • information about you?
    • the information is wrong!
    • doc about me?
    • kill him on the picture!
    • from the chatter (my photo!)
    • from your lover ;-)
    • love letter?
    • here, the serials
    • are you a teacherin the picture?
    • here, the introduction
    • is that criminal?
    • here, the cheats
    • i like your doc!
    • what do you think about it?
    • that's a funny text.
    • that's not the truth?
    • do you have?
    • instruct me about this!
    • i lost that
    • i am speachless about your document!
    • is that the reality?
    • reply
    • msg
    • your design is not good!
    • important?
    • your TAN number?
    • take it easy!
    • why?
    • you are naked in this document!
    • thats wrong!
    • your icq number?
    • i am desperate
    • modifications?
    • your personal record?
    • yes.
    • misc. and so on. see you!
    • your attachment? verify it.
    • you earn money, see the attachment!
    • is that your attachment?
    • is that your website?
    • you feel the same.
    • meaning of that?
    • possible?
    • you have tried to steal!
    • did you ask me for that?
    • you are bad
    • your job? (I found that!)
    • is that possible?
    • something is going ...
    • something is not ok
    • did you know from this document?
    • wrong calculation! (see the attachment!...
    • never!
    • poor quality!
    • good work!
    • excellent!
    • great!
    • i don't think so.
    • pretty pic about you?
    • docs?
    • schoolfriend?
    • <Warning from the Government>
    • <09580985869gj>
    • <?}
    • i want more...
    • here is the next one!
    • attachi#
    • did you see her already?
    • is that your wife?
    • is that your creditcard?
    • is that your photo?
    • do you think so?
    • do you have the bug also?
    • already?
    • forgotten?
    • drugs? ...
    • does it matter?
    • i have received this.
    • best?
    • the truth?
    • your body?
    • your eyes?
    • your face?
    • File is self-decryting.
    • File is damaged.
    • File is bad.
    • i saw you last week!
    • xxx service
    • your account is expired!
    • you cannot hide yourself! (see photo)
    • copyright?
    • what still?
    • who?
    • how?
    • <bad gateway>
    • only encrypted!
    • personal message!
    • my advice....
    • i've found it about you
    • <<<Failure>>>
    • <Attached Msg>
    • <scanned by norton antivirus>
    • great xxx!
    • man or women?
    • child or adult?
    • here is yours!
    • a crazy doc about you
    • xxx about you?
    • i don't want your xxx pics!
    • <Failed message available>
    • <Automailer>
    • doc?
    • trial?
    • what?
    • ;-)
    • i need you!
    • correct it!
    • see this!
    • it's a secret!
    • this is nothing for kids!
    • it's so similar as yours!
    • is that your car?
    • do not give up!
    • great job!
    • here is the $%%454$
    • you are sexy in this doc!
    • incest?
    • let it!
    • you look like an ape!
    • you look like an rat?
    • be mad?
    • are you cranky?
    • bob the builder
    • did you know that?
    • money?
    • is that your car?
    • is this information about you?
    • is that your privacy?
    • is that your TAN?
    • is that your message?
    • is that your cd?
    • is that your finger?
    • your are naked?
    • is that your porn pic?
    • is that your work?
    • is that your family?
    • is that your beast?
    • is that your account?
    • is that your slip?
    • is that your domain?
    • are you the naked one?
    • are you the naked person!
    • are you the one?
    • does it belong to you?
    • do you have sex in the picture?
    • you have a sexy body in the pic!
    • your lie is going around the world!
    • <Transfer complete>
    • <Antispam complete>
    • lets talk about it!
    • do you know the thief?
    • are you a photographer?
    • you have done a mistake in the document...
    • its private from me
    • do not show this anyone!
    • new patch is available!
    • this is an attachment message!
    • in your mind?
    • Microsoft
    • fast food...
    • Your bill.
    • try this patch!
    • do you have an orgasm in the picture?
    • <Click the attachment to decrypt>
    • <Attachment Signature 34933920>
    • Transaction failed. Show the doc!
    • I 've found your bill!
    • see your name!
    • You are infected. Read the details!
    • here is my advice.
    • here is my photo!
    • here is the <censored>
    • feel free to use it.
    • does it belong to you?
    • Login required! Read the attachment!
    • your document is silly!
    • is the pic a fake?
    • Antispam is turned off. See file!
    • Authentification required. Read the att...
    • solve the problem!
    • <null>
    • do not use my document!
    • do not open the attachment!
    • do not visit the pages on the list I se...
    • explain!
    • tell me more about your document!
    • Your provider will be disabled!
    • Instant patches.


      Attachment:
      W32.Netsky.C@mm will create a .zip file as the attachment for 51.5% of the time, randomly selecting one of the Attachment Names below. The archive contains an executable copy of the worm, which also randomly selects the Attachment Names below. There is a 25% chance that the attachment name will be constructed as follows: attachment_attachment (e.g. document_msg).

      For the remaining time, the worm uses a copy of itself as the attachment, and randomly selects one of the Attachment Names below.

      Attachment Name:       (One of the following)
    • document
    • associal
    • msg
    • yours
    • doc
    • wife
    • talk
    • message
    • response
    • creditcard
    • description
    • details
    • attachment
    • pic
    • me
    • trash
    • card
    • stuff
    • poster
    • posting
    • portmoney
    • textfile
    • moonlight
    • concert
    • sexy
    • information
    • news
    • note
    • number_phone
    • bill
    • mydate
    • swimmingpool
    • class_photos
    • product
    • old_photos
    • topseller
    • ps
    • important
    • shower
    • myaunt
    • aboutyou
    • yours
    • nomoney
    • birth
    • found
    • death
    • story
    • worker
    • mails
    • letter
    • more
    • website
    • regards
    • regid
    • friend
    • unfolds
    • jokes
    • doc_ang
    • your_stuff
    • location
    • 454543403
    • final
    • schock
    • release
    • webcam
    • dinner
    • intimate stuff
    • sexual
    • ranking
    • object
    • secrets
    • mail2
    • attach2
    • part2
    • msg2
    • disco
    • freaky
    • visa
    • party
    • material
    • misc
    • nothing
    • transfer
    • auction
    • warez
    • undefinied
    • violence
    • update
    • masturbation
    • injection
    • naked1
    • naked2
    • tear
    • music
    • paypal
    • id
    • privacy
    • word_doc
    • image
    • incest

      Extensions:
      If the attachment is an executable file, the worm will create a double extension for 46.2% of the time. If the attachment is a .zip file, then the executable within the .zip will have a double extension for 67% of the time. The first variable extension in these cases will be one of the following:
    • .txt
    • .rtf
    • .doc
    • .htm

      All the executables will end with one of the following extensions:
    • .exe
    • .scr
    • .com
    • .pif
  13. The worm avoids sending to email addresses which contain any of the following strings:
    • icrosoft
    • antivi
    • ymantec
    • spam
    • avp
    • f-secur
    • itdefender
    • orman
    • cafee
    • aspersky
    • f-pro
    • orton
    • fbi
    • abuse
  14. Creates .zip files in the %Windir% folder, which contain copies of the worm. The names of these files match the above Attachment Names.
  15. If the local system time is between 6:00 AM and 9:00 AM on February 26, 2004, the computer speaker will continuously beep.

 

RECOMMENDATIONS

All users and administrators to adhere to the following basic security "best practices":

  • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
  • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.


REMOVAL INSTRUCTIONS

Removal using the W32.Netsky.C@mm Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Netsky.C@mm. This is the easiest way to remove this threat and should be tried first.

Manual Removal
The following instructions pertain to all current and recent Norton AntiVirus products:

  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Restart the computer in Safe mode or VGA mode.
  4. Run a full system scan and delete all the files detected as W32.Netsky.C@mm.
  5. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

2. Updating the virus definitions
  • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate.

3. Restarting the computer in Safe mode or VGA mode

Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.
  • For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
  • For Windows NT 4 users, restart the computer in VGA mode.

4. Scanning for and deleting the infected files
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with W32.Netsky.C@mm, click Delete.

5. Deleting the value from the registry
WARNING: Back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)
  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, delete the value:

    "ICQ NET" = "%Windir%\winlogon.exe -stealth"
  5. Exit the Registry Editor.

©2000-2004 by SurferBeware.com. All rights reserved.
Hosting provided by Digital Crossing, inc.

   Internet Content Rating Association

Top Threats

 3 

07-26

W32.Mydoom.M@mm

 3 

07-19

W32.Beagle.AG@mm

 3 

07-15

W32.Beagle.AB@mm

 3 

06-01

W32.Korgo.F
 

SPONSORS