Method of Infection
When executed, Netsky.U copies itself to:
%Windows%\SymAV.exe
and modifies the registry to ensure that this copy is executed at each Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SymAV = "%Windows%\SymAV.exe"
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
The worm creates a mutex "SyncMutex_USUkUyUnUeUtUU" to ensure only one copy of the worm is running on the system.
It also creates a further file, %Windows%\fuck_you_bagle.txt (which is a Base64 encoded copy of the worm executable).
Back to top
Method of Distribution
Via E-mail
Netsky.U spreads attached to an e-mail with variable characteristics.
Initially, it searches files with the following extensions on drives C: to Z: (excluding CDROMs) for addresses to send itself to:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml
It spoofs the 'From' address of the message by either inserting one of the e-mail addresses that it harvested from the affected machine or using the address hanta@chiva.net.
The e-mail generated by the worm have the following characteristics:
Possible Subjects:
Reply
Again
It's me
Hey
Hello
Hi
Re: Hello
Re: Hi
Possible Message bodies:
Abou you?
Sexy pic abou you?
Do you have a digicam to make your private photos?
More naked...your body is sexy!
Naked, you?
Are you naked?
More private photos of you? no!
Private photos...mmmhh. I like it. Post me more please!
Hey, naked one!
Hey, have you ever seen your photo?
Eat my shit! Your photo is bad.
Do not distribute your naked photos!
Uhaaa! naked... are you cranky?
Your are naked? Tell me more...please!
Hey, private or private..naked?
Pah!...take your private photo, naked and so, and go away.
I have sent your private photo to the police.
What is when I show your private illegal photo the police?
You? Very funny! More available?
I don't want to see your photo!
Shit... your photo! naked?
Not with me!
Here is a sample of your private documents I have stolen!
Your privacy! lol, youre not protected!
Needed? No, here I give it back!
I believe from the document you are a child!
Check your document, errors are there!
Please, please, Give me another sexy document about you!
Short and good, your document!
Jooooooooo.... document? Yours????? Wehaaa!
I do not accept documents from bad guys!
I do not want your document!
Go to hell an burn with your bad document!
I will send your list to the police!!!!
Hello, here.
It's the truth, your document not!!!
Could I have more texts about you?
Thus is enough. Stop sending your shitty documents!!!
One, two three, more, I have many questions to you document!
Nice, nice, more and more? do you?
Should I believe it? No, however, your story is bad.
Oh.....puh, your story is very strong!
Yours is very nice!
Do you have more of that?
Hey ya, nice document. Do you have more?
Oh, I got it!
To less characters! Take it easy...
I noticed your password for administrative purpuses.
Yet another password! Need a better one?
Oh... your password!
Need a better password? my advice....
Your pwd is critical, too short, to low!
Do not use personal information for your password!
Your password on a website?
Passwordlist? yours?
I needed only 2 hours to get your password.
Change your password! I have stolen some text, excuse me!
Dictionary attacks are good. Your password not!
I used the brute-force method to get your password..
Take it easy... Your password is too short.
I 've got your password! take it easy...
Hey, easy passwords!
Oh! Excuse me, your password is too easy!!!
Possible Attachment names:
photo03
your_photo
private_pic
private_photo
about_you
your_bad_photo
xxx_yours_naked
your_private_document
private
yourpic
yournakedpic
pic04
yours
yourimage
yourphoto
yoursnaked
yours_naked
img05
not_permitted
yours_naked_img
yours_funny
listed
detailed
approvdoc
doc_ed
morestory
abuses
mail
story
letter
sexydocument
doc
yetanotherdocument
trieddocument
posteddocument
abusedocument
illegaldocument
doc04
shortdoc
details
alldoc
document_part
anotherdocument
document3
founddocument
your_doc04
onedocument
mydocument
yourdocument
yourdoc
document
morepasswords
cracked_password
easypassword
yourpassword
password
passwords
pwd_list
your_password
your_pwd
yourspwd
pwd
password02
pwds04
pass01
correct_pass
The extension is always ".pif". For example:
posteddocument.pif
abusedocument.pif
illegaldocument.pif
Note: Netsky.U does not send out any messages between 14 and 16 April, 2004.
Please see below for examples of e-mail generated by the worm:
Back to top
Payload
Backdoor Functionality
Netsky.U opens a backdoor on TCP port 6789. This allows arbitrary executable files to be uploaded to the affected machine and then executed.
Denial of Service
Netsky.U launches a DoS, between 14 and 23 April, 2004, against the following sites:
www.cracks.am
www.emule.de
www.kazaa.com
www.freemule.net
www.keygen.us
It performs this attack by creating multiple threads, each sending data to TCP port 80 on these addresses.
Analysis by Hamish O'Dea
Back to top