Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Netsky.Q@mm


Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Detection files published
Description created 29 Mar 2004 11:26:00
Description updated 29 Mar 2004 11:26:00
Malware type WORM
Alias W32/Netsky.Q
Spreading mechanism EMAIL
Summary None



When Netsky.Q is executed it copies itself to %WINDIR%\SysMonXp.exe and creates the following registry value to ensure it is started with Windows.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sysmonxp = "%WINDIR%\SysMonXP.exe" The worm will then copy its SMTP engine to %WINDIR%\firewalllogger.txt, which is a UPX packed DLL. Netsky will then launch Notepad.exe to display the contents of  “temp.eml", which may or may not exist. Next the worm creates Base64 encoded copies of itself which are stored in the %WINDIR% directory with the following file names:  zipo0.txt zipo1.txt zipo2.txt zipo3.txt base64.tmp In addition to the BASE64 encoded files Netsky.Q will also create the file %WINDIR%\zippedbase64.tmp, which is a WinZip archive containing an uncompressed copy of itself. Netsky then searches for e-mail addresses in files with the following extension:  .ppt .xls .stm .ods .nch .mmf .mht .mdx .mbx .cfg .xml .wsh .jsp .html .htm .pl .dbx .tbb .adb .dhtm .cgi .shtm .uin .rtf .vbs .msg .oft .sht .doc .wab Netsky will check each e-mail address to ensure it does not contain any of these strings:  reports@ spam@ noreply@ @viruslis ntivir @sophos @freeav @pandasof @skynet @messagel abuse@ @fbi @norton @f-pro @kaspersky @mcafee @lumension @bitdefender @f-secur @avp @spam @symantec @antivi @microsof The worm then proceeds to mail itself to all of the harvested e-mail addresses. The subject line, body text and attachment name vary, and are composed from various word-lists. Subject: The subject line is one of the following strings with the recipient name appended in parenthesis:  Server Error    Deliver Mail    Delivery Failed Unknown Exception   Failed Failure Status  Error   Delivered Message   Mail System Mail Delivery System Mail Delivery failure   Delivery    Delivery Failure    Delivery Error Delivery Bot Body: The first part of the body is one of the following strings:  Delivery Agent - Translation failed Delivery Failure - Invalid mail specification   Mail Delivery Failure - This mail couldn't be shown Mail Delivery System - This mail contains binary characters Mail Transaction Failed - This mail couldn't be converted   Mail Delivery Error - This mail contains unicode characters Mail Delivery Failed - This mail couldn't be represented    Mail Delivery - This mail couldn't be displayed The next part of the body is the following string: ------------- failed message -------------  The final section of the body text is one of the following strings:  Received message has been sent as a binary file. Modified message has been sent as a binary attachment.  Received message has been sent as an encoded attachment.    Translated message has been attached.   Message has been sent as a binary attachment.   Received message has been attached. Partial message is available and has been sent as a binary attachment.  The message has been sent as a binary attachment.Netsky may also append a URL to the end of the body text, which will execute the worm if clicked on. The URL is in the format: www.[recipient domain name]/inmail/[recipient user name]/mread.php?sessionid-[random numbers] Attachment: The first part of the attachment name is selected from these strings:  data mail msg message followed by a random number and then one of the following file extensions:  .pif .scr .zip .emlIn most cases where Netsky sends itself in a zip file the attachment name has a .eml extension followed by 100 blank spaces and a .scr extension. This is an attempt to fool people into running the worm.

Payload Details

In an attempt to prevent other worms from running Netsky deletes the following values:  Explorer system. msgsvr32 au.exe winupd.exe direct.exe jijbl Video service DELETE ME d3dupdate.exe OLE Sentry gouday.exe rate.exe Taskmon Windows Services Host sysmon.exe srate.exe ssate.exe Microsoft IE Execute shell Winsock2 driver ICM version yeahdude.exe Microsoft System Checkup From the following keys:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunThe worm will also delete the following registry keys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\PINF HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch HKEY_CLASSES_ROOT\CLSID\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32Netsky.Q will also attempt to perform a DoS attack against the following sites between 7-Apr-2004 and 12-Apr-2004 using HTTP GET requests: www.cracks.amNetsky exploits the “Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability within Internet Explorer, which will enable the worm to auto-execute on unpatched systems. For further information on this exploit please see Microsoft Security Bulletin MS01-020.
 Also, on the 30-Mar-2004 between 5:00AM and 11:00AM Netsky.Q will cause the system to beep at a random pitch and frequency every 50 ms.




Netsky.Q is detected and removed with definitions files later than 29-Mar-04. The DLL component is detected as W32/Netsky.P and removed with definition files later than 22-Mar-2004.

Last Updated: 12 Nov 2015 11:06:12