Win32/Netsky.K

Created: 2007-06-26, 02:14:40
Last updated on: 2010-11-26, 09:27:25

Platform:	Win32	Type:	worm	Size:	27648
Date:	2004-03-08

Language: Microsoft Visual C++
Endangered operating system(s): Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000 all... , Windows Server 2003 , Windows XP back...
Non-endangered operating system(s): Windows 3.xx, DOS, Linux, Unix, Solaris all... , MacOS , Mac OS X , OS2 back...

Naming

The different antivirus applications use different names for the individual viruses and worms. Sometimes an antivirus application identifies the same individual malware using different names for different copies or different viruses and worms are identified with the same name. The informative list below contains the names for the malware given by the most popular antivirus applications. The names can vary using the different versions of the same antivirus application.

Installation

The main purpose of viruses and worms spreading on the Internet and local networks is to infect another computer. After this infection malware can modify the system and after a reboot process the malware code can be launched. For this purpose malware usually creates files in the operating system's area and modify the registry. According to this modification of the registry the operating system will execute the malware code as well. Besides, it is possible that they create files in other area (directory) of the file system. It is also possible that viruses and worms create AUTORUN.INF files in the root directories of the drives. In this case - according to the default settings of Windows - it automatically executes the malware once the user opens the root directory of the particular drive.

The Win32/Netsky.K worm in the Windows folder (default: C:\Windows) creates the avpguard.exe files.

Win32/Netsky.K worm creates the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "My AV"="C:\WINDOWS\avpguard.exe -av serv" entry in the registry or modifies it (if it exists already).

In order to limit the running of another malware, viruses and worms can interfere other malware as well when they erase registry entries according to each other.

Win32/Netsky.K worm deletes the following entries from the registry:

Memory resident viruses and worms usually install themselves in the memory only once. For this purpose malware can use the operating feature and they can create mutexes. They can check the existence of this mutex before installing their code into the memory.

Win32/Netsky.K worm creates the SkYnEt_AVP mutex.

E-mail messages

The main aim of worms spreading in e-mail messages is to infect other computers. For this purpose they create and send e-mail messages to various e-mail addresses. The body of these messages usually include the code of the worm, but it is also possible that only a link is attached into the body and the user downloads the code of the worm. E-mail worms can create e-mail messages with various parameters.

Win32/Netsky.K worm in order to spread creates ANSI format e-mail messages and forwards its own code.

For a better spreading e-mail worms and viruses use the attacked computer not only for forwarding its code but for searching potential e-mail addresses. These e-mail addresses are used as the addressee of the e-mail message and/or as the sender. Thus the sender address is modified by the malware.

Win32/Netsky.K worm searches for e-mail addresses in the files with one of the following extensions:

The characteristics of the e-mail messages are the following:

Sender	The sender addresses of the infected e-mails will be collected from the attacked computer(s).
Addressee	The worm sends the e-mail messages to the collected addresses. The worm does not send infected email messages to the addresses containing one of the following strings: responder automail noreply iruslis antivir more... responder automail noreply iruslis antivir sophos freeav andasoftwa skynet messagelabs abuse fbi orton f-pro aspersky cafee orman itdefender f-secur avp spam ymantec antivi icrosoft less...
Subject	The potential subjects of the infected e-mail messages are the following: Re: janette_james, thanks! Hi Mrs. greatcustomer Hello user Re: Hello austria, my details Yours faithfully, mssupport more... Re: janette_james, thanks! Hi Mrs. greatcustomer Hello user Re: Hello austria, my details Yours faithfully, mssupport Re: Your application Re: part 3 Re: important document part 2 Re: Hello janette_james, document Re: Re: greatcustomer, thanks! Re: Dear user, Here Re: My details Moin mssupport Your account mspss is expired! Hi mssupport Have a good day mts Re: Hi test, details Re: Your file Hi admin, your product Hi Mrs. ron Re: Hi hubak, your music To plugring , it's me Re: Hi support, your music Re: Here support, your picture Re: Here info, your picture Re: Your details winrar Yours faithfully, sales Re: Your application Re: Hello info, document Your account sales is expired! Hello support, your letter Re: hi again Re: Your file Re: Here rar, your picture Your account vmlich is expired! Re: Re: Re: word document Message to jimaz Is sales.xls yours? Re: Your application Re: Your bill Re: important document part 2 Your account provision is expired! Re: Your details www.sales.freepage.com, your website Re: I've found your document Dear webmaster Re: Your file Re: your music Re: Your requested file Re: Your document Hello inftec www.exp2000.freepage.com, your website Re: Your application Re: Hello winrar, your document Re: excel document Re: Hi ftp.far, details sites.far Re: I've found your document Re: important document part 2 Re: Hello farbugs, my details Dear help Re: Your requested file Re: Dear mark, Hi Re: Your document Re: Your bill Re: important Na user Message to austria Re: my memberlist Re: hello again Hi Mr. mspss Re: Hello mssupport, your document Re: test, thanks! Re: Hi jourim Hey admin Re: Your application Re: Hello hubak, my details Whats up plugring Re: Approved Re: Your bill Re: Hello support, your document sales Re: Approved Re: Your bill He ventes Re: Dear info, Here Re: Re: support, thanks! Re: Hi sales, your music Re: Hi sales, details Re: important Hi Moi vmlich Re: corrected homework Re: Hi jimaz, your details Hi Love info Is rar.regsite.xls yours? Re: hi again Re: Read it immediately /alex Have a good day sales Na sales Have a good day webmaster Re: I've found your document Re: Your details Re: Hello admin, your software Message to mcafeapc Re: Your file Re: Hi exp2000, details www.hsseo.tripod.com Re: Your bill Re: Hi sam, details Is ftp.far.doc yours? Message to sites.far Re: Read it immediately Is helpdesk.doc yours? Re: Re: Hi farbugs, document Love help Good morning licensing Re: Dear mark, Hi Re: Hello cogswell, document less...
Attachment	The name of the attachment in the e-mail message sent by the worm is constructed from multiple parts. The first part of the name of the attachment in the e-mail message sent by the worm is constructed from the following strings: /alex admin admindocument archivevmlich arrowcomp more... /alex admin admindocument archivevmlich arrowcomp austria bill cogswell cogswellinformation document exp2000 farbugs farbugsdocument ftp greatcustomer greatcustomerinformation help helpdesk hsseo hubak info inftec inftecdocument janette jourim jourimdocument letter licensing mark mcafeapcinformation mp3music mspss mspssinformation mssupport mts plugring provisioninformation rar roddocument ron sales salesdocument salesinformation sam sites support supportinformation test user ventes vmlichinformation webmaster website winrar your yourpictureinfo yourpictureplugring yourpictureprovision yourpicturerar yourpicturesupport yourpicturewhatsnew yoursinfo yourssam yoursuser less... The second part of the name of the attachment in the e-mail message sent by the worm is constructed from the following strings: admin application arrowcomp details detailsaustria more... admin application arrowcomp details detailsaustria detailsjimaz detailsmcafeapc detailsmts detailssites document excel exp2000 file full help4351 hsseo hubak info info4351 james janette message mspss mssupport my part2 picture product rar sales support textrod textsales textventes textwhatsnew user vmlich4351 winrar word your less... The file extension of the attachment of the e-mail message sent by the worm is pif .

Backdoor

Viruses and worms more and more frequently open backdoors on the attacked computer. Thus the attacker can take full control over the machine. In this case the attacker can do whatever s/he wants on the computer: run or stop programs and applications, upload or download files, steal passwords and access codes.

Win32/Netsky.K worm opens a backdoor on the port number 26 .

Payload functions

Every virus and worm can do what it or its programmer wants. Some malware executes its payload function depending on a particular event, sometimes these functions are executed on specific dates and time.

Win32/Netsky.K worm executes the following payload functions:

condition	from 10:00 a.m. until 11:00 a.m. on 10 March 2004
activity	repeats the following sound on the computer:

condition	on 13 March 2004
activity	displays message windows

condition

on 16 March 2004

activity

deletes the following lines from the registry database: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "My AV"="C:\WINDOWS\avpguard.exe -av serv" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "My AV"="C:\WINDOWS\avpguard.exe -av serv" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "My AV"="C:\WINDOWS\avpguard.exe -av serv" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "My AV"="C:\WINDOWS\avpguard.exe -av serv" displays message windows

Others

The writers of the malware programs very often insert messages and pictures which are usually encrypted in some way. In many cases we find particular texts in the program code of viruses, program worms and other parasites, in which we encounter either the signature of the creator of the virus or the particular text parts used for the operation of the virus (file or directory names etc.). These texts are not always directly recognisable; in most cases they become visible and readable by decoding the coded virus program only.

Text(s) in the program code of Win32/Netsky.K worm which are never displayed:

00 Skynet AntiVirus - We want to 00 destroy malware writers business, including MyDoom & 01 Bagle. To F-Secure and so on, we do not want damage systems, 02 we only want to avoid that Bagle continues his dirty03 business. We have respect of your work (Your heuristic scan is not good enough! Make it better).04 When the beagle and mydoom loose, we wanna stop our activity. thats now.05 And personal words to mydoom: Your are so shitty i never seen in my life.06 A Sample is bin laden and saddam. Your are more, more as more. worse than bad, the only worst.07 I cannot describe you, you're so lame. And to the mydoom thiefs: You will go08 into the prison next time in texas, nice to meet the bagle author there.09 Eat my shit, its similar your food, you know.10 And do not watch too much porn. Last words to all AV firms: We are the Skynet, not netsky!11 You can use commands on port 26 to deactivate the Skynet!.12 This is the last version of our antivirus. The source code is available soon.13 Note that the optimization limit is also reached. You can't get more with smtp engines.14 bagle and mydoom can continue his dirty impact. the 11th of march is the skynet day.