Method of Infection
Netsky.P is a worm that spreads through e-mail and file sharing. It is distributed as a 29,568 byte Win32 executable, compressed with FSG, which drops a 26,624 byte DLL file. It also distributes itself inside ZIP archives.
Netsky.P arrives in the form of a 29,568 byte "dropper", which creates and loads a DLL file containing the bulk of the worm code.
When run, the dropper creates a mutex called "'D'r'o'p'p'e'd'S'k'y'N'e't'", to avoid running multiple copies of itself.
It copies itself to
%Windows%\FVProtect.exe
It also decrypts the DLL stored inside its own file, and writes the result to:
%Windows%\userconfig9x.dll
It then calls the first (and only) function in the DLL. The DLL then takes over.
The worm creates a registry value in order to run the dropper each time Windows starts:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV = "%Windows%\FVProtect.exe"
The DLL creates another mutex, called "_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_". It creates several other files in the process of propagating itself:
- %Windows%\base64.tmp - A base64 encoded copy of the worm executable, used in e-mail messages
- %Windows%\zipped.tmp - A temporary copy of a ZIP archive containing the worm executable
- %Windows%\zip1.tmp - A base64 encoded copy of a ZIP archive containing the worm
- %Windows%\zip2.tmp - A base64 encoded copy of a ZIP archive containing the worm
- %Windows%\zip3.tmp - A base64 encoded copy of a ZIP archive containing the worm
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Back to top
Method of Distribution
Via E-mail
Netsky.P sends itself through e-mail using its own SMTP engine. It spoofs the 'From' address of the message by either inserting one of the e-mail addresses that it harvested from the affected machine or using the address lola@sexnet.com.
Netsky.P is capable of producing a large number of varying messages, by combining different subjects, bodies and attachment names. These are some of the subject lines that the worm can use:
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification
here
hi
hello
thanks!
approved
corrected
patched
improved
important
read it immediately
Note: Some of these subject lines may also have "Re:" or "Re: Re:" added to the front.
Some possible message bodies:
Please confirm my request.
ESMTP [Secure Mail System #334]: Secure message is attached.
Partial message is available.
Waiting for a Response. Please read the attachment.
First part of the secure mail is available.
For more details see the attachment.
For further details see the attachment.
Your requested mail has been attached.
Protected Mail System Test.
Secure Mail System Beta Test.
Forwarded message is available.
Delivered message is attached.
Encrypted message is available.
Please read the attachment to get the message.
Follow the instructions to read the message.
Please authenticate the secure message.
Protected message is attached.
Waiting for authentification.
Protected message is available.
Bad Gateway: The message has been attached.
SMTP: Please confirm the attached message.
You got a new message.
Now a new message is available.
New message is available.
You have received an extended message. Please read the instructions.
It may add one of the following to the end of the message body:
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com
++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com
++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com
++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de
Some example attachment names:
message
msg
details
data
document
readme
When attached as an executable file, the attachment name may have a single or double extension. In the case of double extensions, the first may be one of these:
.txt
.doc
The final extension is chosen from this list:
.pif
.exe
.scr
There may also be a large number of spaces between the two extensions.
When attached as a ZIP archive, the extension will always be ".zip". The file inside the archive will have one of the following names:
document.txt .exe
data.rtf .scr
details.txt .pif
The worm may also add "_<name>" to the end of the attachment file name. For example, when sending to tester@domain.com, the attachment may be "msg_tester.zip".
One common form of message used by Netsky.P appears as follows:
Subject:
Mail Delivery (failure <recipient address>)
Body:
If the message will not displayed automatically,
follow the link to read the delivered message.
Received message is available at:
www.<recipient domain>/inbox/<recipient name>/read.php?sessionid-<random number>
Attachment:
message.scr
In the above case, the message body is in HTML, and attempts to exploit the "Incorrect MIME Header" vulnerability in order to automatically run the attachment when the message is viewed. For a detailed description of this vulnerability and links to the appropriate patches, please visit:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Please see below for examples of e-mail generated by the worm:
In order to collect e-mail addresses to send itself to, the worm searches through drives a: to z: (except cd-rom drives), in files with the following extensions:
.adb
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.msg
.oft
.php
.pl
.rtf
.sht
.shtm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xml
The worm discards e-mail addresses containing the following strings:
@microsof
@antivi
@symantec
@spam
@avp
@f-secur
@bitdefender
@norman
@mcafee
@kaspersky
@f-pro
@norton
@fbi
abuse@
@messagel
@skynet
@pandasof
@freeav
@sophos
ntivir
@viruslis
noreply@
spam@
reports@
Via File Sharing
In the process of searching for e-mail addresses, Netsky.P also looks for directories that may be available to other machines, for example, through Windows file sharing or peer-to-peer networks such as Kazaa.
It copies itself into any directory with a name containing any of the following strings:
my shared folder
download
ftp
htdocs
http
upload
shar
icq
bear
lime
morpheus
donkey
mule
kazaa
shared files
In each matching directory, the worm makes copies of itself using each of the following file names:
The Sims 4 beta.exe
Lightwave 9 Update.exe
Ulead Keygen 2004.exe
Smashing the stack full.rtf.exe
Internet Explorer 9 setup.exe
Opera 11.exe
DivX 8.0 final.exe
WinAmp 13 full.exe
Cracks & Warez Archiv.exe
Visual Studio Net Crack all.exe
ACDSee 10.exe
MS Service Pack 6.exe
Clone DVD 6.exe
Magix Video Deluxe 5 beta.exe
Star Office 9.exe
Partitionsmagic 10 beta.exe
Gimp 1.8 Full with Key.exe
Norton Antivirus 2005 beta.exe
Windows 2000 Sourcecode.doc.exe
Keygen 4 all new.exe
3D Studio Max 6 3dsmax.exe
1001 Sex and more.rtf.exe
RFC compilation.doc.exe
Dictionary English 2004 - France.doc.exe
Win Longhorn re.exe
WinXP eBook newest.doc.exe
Learn Programming 2004.doc.exe
How to hack new.doc.exe
Doom 3 release 2.exe
E-Book Archive2.rtf.exe
netsky source code.scr
Ahead Nero 8.exe
Full album all.mp3.pif
Screensaver2.scr
Serials edition.txt.exe
Microsoft Office 2003 Crack best.exe
XXX hardcore pics.jpg.exe
Dark Angels new.pif
Porno Screensaver britney.scr
Best Matrix Screensaver new.scr
Adobe Photoshop 10 full.exe
Adobe Premiere 10.exe
Teen Porn 15.jpg.pif
Microsoft WinXP Crack full.exe
Adobe Photoshop 10 crack.exe
Windows XP crack.exe
Windows 2003 crack.exe
Arnold Schwarzenegger.jpg.exe
Saddam Hussein.jpg.exe
Cloning.doc.exe
American Idol.doc.exe
Eminem Poster.jpg.exe
Altkins Diet.doc.exe
Eminem blowjob.jpg.exe
Ringtones.doc.exe
Eminem sex xxx.jpg.exe
Ringtones.mp3.exe
Eminem Spears porn.jpg.exe
Eminem full album.mp3.exe
Eminem Sexy archive.doc.exe
Eminem Song text archive.doc.exe
Britney Spears.mp3.exe
Eminem.mp3.exe
Britney Spears full album.mp3.exe
Britney Spears Song text archive.doc.exe
Matrix.mpg.exe
Britney Spears and Eminem porn.jpg.exe
Harry Potter 5.mpg.exe
Britney Spears.jpg.exe
Harry Potter game.exe
Britney Spears fuck.jpg.exe
Harry Potter.doc.exe
Britney Spears cumshot.jpg.exe
Harry Potter e book.doc.exe
Britney Spears blowjob.jpg.exe
Harry Potter 1-6 book.txt.exe
Britney sex xxx.jpg.exe
Harry Potter all e.book.doc.exe
Britney Spears porn.jpg.exe
Kazaa new.exe
Britney Spears Sexy archive.doc.exe
Kazaa Lite 4.0 new.exe
Back to top