Jövőképzők TudásTár

Win32/NetSky.Q is an internet worm spreading via e-mail messages, P2P networks or shared network drives.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%

The worm is in an executable that is nearly 29 kiobytes long. Upon execution it copies itself into the %windir% directory using the name „FVProtect.exe”. It also creates a file called „userconfig9x.dll”, that is 26 kB long. This dynamic library file is then executed.

In order to be run every time the Windows starts, the worm creates Registry entry called „Norton Antivirus AV” in the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The new entry contains the path to „FVProtect.exe”.

The following Registry entries are removed by the worm:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\direct.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gouday.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rate.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srate.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssate.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupd.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\System. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Video HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\direct.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jijbl HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sentry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\video HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupd.exe

This way, some older worms can be deactivated, if present on the system.

The following files are created in the %windir% directory: base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, zipped.tmp. These are used when the e-mail messages are composed.

The worm searches all local disks for directories, that contain some of the following strings in their names:

bear donkey download ftp htdocs http icq kazaa lime morpheus mule my shared folder shar shared files upload

The worm is then copied into such directories using the following names:

1001 Sex and more.rtf.exe 3D Studio Max 6 3dsmax.exe ACDSee 10.exe Adobe Photoshop 10 crack.exe Adobe Photoshop 10 full.exe Adobe Premiere 10.exe Ahead Nero 8.exe Altkins Diet.doc.exe American Idol.doc.exe Arnold Schwarzenegger.jpg.exe Best Matrix Screensaver new.scr Britney sex xxx.jpg.exe Britney Spears and Eminem porn.jpg.exe Britney Spears blowjob.jpg.exe Britney Spears cumshot.jpg.exe Britney Spears fuck.jpg.exe Britney Spears full album.mp3.exe Britney Spears porn.jpg.exe Britney Spears Sexy archive.doc.exe Britney Spears Song text archive.doc.exe Britney Spears.jpg.exe Britney Spears.mp3.exe Clone DVD 6.exe Cloning.doc.exe Cracks & Warez Archiv.exe Dark Angels new.pif Dictionary English 2004 - France.doc.exe DivX 8.0 final.exe Doom 3 release 2.exe E-Book Archive2.rtf.exe Eminem blowjob.jpg.exe Eminem full album.mp3.exe Eminem Poster.jpg.exe Eminem sex xxx.jpg.exe Eminem Sexy archive.doc.exe Eminem Song text archive.doc.exe Eminem Spears porn.jpg.exe Eminem.mp3.exe Full album all.mp3.pif Gimp 1.8 Full with Key.exe Harry Potter 1-6 book.txt.exe Harry Potter 5.mpg.exe Harry Potter all e.book.doc.exe Harry Potter e book.doc.exe Harry Potter game.exe Harry Potter.doc.exe How to hack new.doc.exe Internet Explorer 9 setup.exe Kazaa Lite 4.0 new.exe Kazaa new.exe Keygen 4 all new.exe Learn Programming 2004.doc.exe Lightwave 9 Update.exe Magix Video Deluxe 5 beta.exe Matrix.mpg.exe Microsoft Office 2003 Crack best.exe Microsoft WinXP Crack full.exe MS Service Pack 6.exe netsky source code.scr Norton Antivirus 2005 beta.exe Opera 11.exe Partitionsmagic 10 beta.exe Porno Screensaver britney.scr RFC compilation.doc.exe Ringtones.doc.exe Ringtones.mp3.exe Saddam Hussein.jpg.exe Screensaver2.scr Serials edition.txt.exe Smashing the stack full.rtf.exe Star Office 9.exe Teen Porn 15.jpg.pif The Sims 4 beta.exe Ulead Keygen 2004.exe Visual Studio Net Crack all.exe Win Longhorn re.exe WinAmp 13 full.exe Windows 2000 Sourcecode.doc.exe Windows 2003 crack.exe Windows XP crack.exe WinXP eBook newest.doc.exe XXX hardcore pics.jpg.exe

This enables the worm to spread via P2P networks and other shared resources.

Files with extensions listed below are also searched for:

.adb .asp .cgi .dbx .dhtm .doc .eml .htm .html .jsp .msg .oft .php .pl .rtf .sht .shtm .tbb .txt .uin .vbs .wab .wsh .xml

Win32/NetSky.Q extracts e-mail addersses from the files. Addresses containing some fo the following strings are avoided.

@antivi @avp @bitdefender @f-pro @f-secur @fbi @freeav @kaspersky @mcafee @messagel @microsof @norman @norton @pandasof @skynet @sophos @spam @symantec @viruslis abuse@ noreply@ ntivir reports@ spam@

The messages used for spreading the worm are composed using a long list of strings. The address of the sender is either randomly picked from the harvested addresses, or it may be one of the addresses contained in the worm:

[email protected] [email protected] [email protected]

Subject of the message is chosen from the list below:

-do0-i4grjj40j09gjijgp 0i09u5rug08r89589gjrg Administrator approved Congratulations! corrected Do you? Does it matter? Error Fwd: Warning again Hello hello here Hi hi I cannot forget you! I love you! Illegal Website important Important m$6h?3p improved Information Internet Provider Abuse Is that your password? Mail Account Mail Authentication Mail Delivery (failure %s) Mail Delivery (failure) News Notice again patched Postcard Private document Protected Mail System Re: Re: A!p$ghsa Re: Administration Re: Approved document Re: Bad Request Re: Delivery Protection Re: Delivery Server Re: Developement Re: Encrypted Mail Re: Error Re: Error in document Re: Extended Mail Re: Extended Mail System Re: Failure Re: Free porn Re: Hello Re: Hi Re: Is that your document? Re: Its me Re: Mail Authentification Re: Mail Server Re: Message Re: Message Error Re: Notify Re: Old photos Re: Old times Re: Order Re: Proof of concept Re: Protected Mail Delivery Re: Protected Mail Request Re: Protected Mail System Re: Question Re: Re: Re: Request Re: Sample Re: Secure delivery Re: Secure SMTP Message Re: Sex pictures Re: SMTP Server Re: Status Re: Submit a Virus Sample Re: Test Re: Thank you for delivery Re: Virus Sample Re: Your document read it immediately Shocking document Spam Spamed? Stolen document Thank you! thanks! You cannot do that! Your day

Body of the e-mail contains one of the following messages, but it can also be blank.

9u049u89gh89fsdpokofkdpbm3-4i Are you a spammer? (I found your email on a spammer website!?!) Authentication required. Bad Gateway: The message has been attached. Best wishes, your friend. Binary message is available. Can you confirm it? Congratulations!, your best friend. Delivered message is attached. Do not visit this illegal websites! Encrypted message is available. ESMTP [Secure Mail System #334]: Secure message is attached. First part of the secure mail is available. Follow the instructions to read the message. For further details see the attachment. For more details see the attachment. Forwarded message is available. Greetings from france, your friend. Have a look at these. Here is it! Here is my icq list. Here is my phone number. Here is the website. I am shocked about your document! I cannot believe that. I found this document about you. I have attached it to this mail. I have attached the sample. I have attached your document. I have attached your file. Your password is jkl44563. I have corrected your document. I have received your document. The corr I have received your document. The corrected document is attached I have visited this website and I found you in the spammer list. Is that true? I hope the patch works. I hope you accept the result! I noticed that you have visited illegal websites. See the name in the list! Important message, do not show this anyone! Let§us be short: you have no experience in writing letters!!! lovely, Message has been sent as a binary attachment. Monthly news report. My favourite page. New message is available. Now a new message is available. Partial message is available. Please answer quickly! Please authenticate the secure message. Please confirm my request. Please confirm the document. Please confirm! Please r564g!he4a56a3haafdogu#mfn3o <SMTP Error #201>

Please read the attached file! Please read the attached file. Please read the attachment to get the message. Please read the document. Please read the important document. Please see the attached file for details. po44u90ugjid-k9z5894z0 Protected Mail System Test. Protected message is attached. Protected message is available. Requested file. Secure Mail System Beta Test. See the file. See the ghg5%&6gfz65!4Hf55d!46gfgf <Server Error #203>

SMTP: Please confirm the attached message. Thank you for your request, your details are attached! Thanks! The file is protected with the password ghj001. The sample file you sent contains a new virus version of buppa.k. Please update your virus scanner with the attached dat file. Best Regards, Keria Reynolds

The sample file you sent contains a new virus version of mydoom.j. Please clean your system with the attached signature. Sincerly, Robert Ferrew

The sample is attached! Try this game Try this, or nothing! Waiting for a Response. Please read the attachment. Waiting for authentification. You got a new message. You have downloaded these illegal cracks?. You have received an extended message. Please read the instructions. You have visited illegal websites. I have a big list of the websites you surfed. You have written a very good text, excellent, good work! You were registered to the pay system. For more details see the attachment. Your archive is attached. your big love, Your bill is attached to this mail. Your details. Your document is attached to this mail. Your document is attached. Your document. Your file is attached. Your important document, correction is finished! Your mail account has been closed. For further details see the document. Your mail account is expired. See the details to reactivate it. Your photo, uahhh…. , you are naked! Your requested mail has been attached.

At the bottom of the message, there can be this text: „+++ Attachment: No Virus found” It is always followed by one of the following lines:

+++ Bitdefender AntiVirus - www.bitdefender.com +++ Kaspersky AntiVirus - www.kaspersky.com +++ MC-Afee AntiVirus - www.mcafee.com +++ MessageLabs AntiVirus - www.messagelabs.com +++ Panda AntiVirus - www.pandasoftware.com ++++ F-Secure AntiVirus - www.f-secure.com ++++ Norman AntiVirus - www.norman.com ++++ Norton AntiVirus - www.symantec.de

Name of the attachment is chosen from the list below. Sometimes it can be also formed by joining two strings from the list.

about_you abuselist abuses abuse_list all_doc01 all_in_all application approved approved archive attach bill confirm corrected d4334938 data data02 data20 datfiles detail3 details details03 details05 doc01 document document01 document04 document05 document07 document09 document342 document43 document_all document_all02c document_with_notice doc_word3 email encrypted_msg01 excel document file game game_xxo id04009 id09509 id43342 important important improved info02 information judge letter letter32 letter43 list list_ed mails9 message msg my my_details my_list01 my_numbers news01 old_photos part6 part_01 patch3425 pgp_sess01 photo postcard priv private_01 product pwd02 readme report01 sample01 screensaver signature software story summary2004 text text01 website websitelist01 websites01 websites03 word document word_doc www.freeporn4all www.myx4free your your_doc your_document

The attachment can either be an executable or a ZIP archive. If it's an EXE file, it has two extensions. The first one is either „.doc” or „.txt”, and the other is „.exe”, „.scr” or „.pif”.

If the attachment is a ZIP archive, its extension is „.zip”. The archive contains the Win32/Netsky.Q executable. The file inside the archive can have three different names:

document.txt .exe data.rtf .scr details.txt .pif

The parts of the e-mail messages are not chosen completely at random. The worm contains some sort of information about the relationship between certain subjects, message bodies and attachment names. Therefore the generated messages usually make sense.

The worm contains a message for the author of the Win32/Bagle worm.

Detection of Win32/Netsky.Q using a sample is added since version 1.685.