Method of Infection
When executed, Netsky.T copies itself to:
%Windows%\EasyAV.exe
and modifies the registry to ensure that this copy is executed at each Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EasyAV = "%Windows%\EasyAV.exe"
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
It maintains two running processes launched from the same executable. If one process is killed, the other launches another instance. This is intended to make it harder to remove. It also uses two mutex objects (one for each process):
Protect_USUkUyUnUeUtU_Mutex
SyncMutex_USUkUyUnUeUtU
It also creates a further file, %Windows%\uinmzertinmds.opm (which is a Base64 encoded copy of the worm executable).
Back to top
Method of Distribution
Via E-mail
Netsky.T spreads attached to an e-mail with variable characteristics.
Initially, it searches files with the following extensions on drives C: to Z: (excluding CDROMs) for addresses to send itself to:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml
It spoofs the 'From' address of the message by either inserting one of the e-mail addresses that it harvested from the affected machine or using the address hanta@chiva.net.
The e-mail generated by the worm have the following characteristics:
Possible Subjects:
account
postcard
sample
developement
concept
story
report
icq number
e-mail
phone number
personal message
photo document
order
important document
diggest
final version
release
answer
bill
notice
requested document
description
summary
picture document
movie document
approved document
old document
document
mail
letter
homepage
detailed document
powerpoint document
excel document
word document
info
information
text
new document
textfile
user list
improved file
secound document
file
number list
contact list
message
note
improved document
details
instructions
presentation document
abuse list
archive
corrected document
list
approved file
Important
My details
Your information
Your details
Your document
Request
Thank you!
Approved
Hello
Hi
Note: The subject may also have "Re: " at the start.
The body is constructed from several parts. Part 1 is chosen from:
Hi!
Hello!
(blank)
Part 2 is chosen from:
Note that I have attached your document.
My <attachment name>.
The <attachment name>.
I have spent much time for the <attachment name>.
I have spent much time for your document.
Your <attachment name>.
Please notice the attached <attachment name>.
Please notice the attached document.
Please read quickly.
For more details see the attached document.
For more information see the attached document.
Approved, here is the document.
I have found the <attachment name>.
My <attachment name> is attached.
Your <attachment name> is attached.
Please, <attachment name>.
Your file is attached to this mail.
Please read the attached document.
Please have a look at the attached document.
See the document for details.
Here is the document.
The requested <attachment name> is attached!
I have sent the <attachment name>.
Please see the <attachment name>.
The <attachment name> is attached.
Here is the <attachment name>.
Please have a look at the <attachment name>.
Please read the <attachment name>.
Note: <attachment name> is the name of the attachment, without the number or extension, and with spaces instead of "_" characters.
Part 3 is chosen from:
Thanks
Thank you
Yours sincerely
(blank)
Possible Attachment names:
account
postcard
sample
developement
concept
story
report
icq_number
e-mail
phone_number
personal_message
photo_document
order
important_document
diggest
final_version
release
answer
bill
notice
requested_document
description
summary
picture_document
movie_document
approved_document
old_document
document
mail
letter
homepage
detailed_document
powerpoint_document
excel_document
word_document
info
information
text
new_document
textfile
user_list
improved_file
secound_document
file
number_list
contact_list
message
note
improved_document
details
instructions
presentation_document
abuse_list
archive
corrected_document
list
approved_file
Each attachment name is followed by a random number from 0 to 9, followed by ".pif". For example:
textfile5.pif
developement9.pif
approved_file2.pif
Note: Netsky.T does not send out any messages between 14 and 16 April, 2004.
Please see below for examples of e-mail generated by the worm:
Back to top
Payload
Backdoor Functionality
Netsky.T opens a backdoor on TCP port 6789. This allows arbitrary executable files to be uploaded to the affected machine and then executed.
Denial of Service
Netsky.T launches a DoS, between 14 and 23 April, 2004, against the following sites:
www.cracks.am
www.emule.de
www.kazaa.com
www.freemule.net
www.keygen.us
It performs this attack by creating multiple threads, each sending data to TCP port 80 on these addresses.
Analysis by Hamish O'Dea
Back to top