Fandom

Virus Information

Netsky

245pages on
this wiki
Add New Page
Talk0 Share
Netsky
Type Multi-vector worm
Creator Sven Jaschan
Date Discovered 2004.02.16
Place of Origin Waffensen, Lower Saxony, Germany
Source Language C++
Platform MS Windows
File Type(s) .exe, .pif, .scr, .zip
Reported Costs $2 billion

Netsky is a worm notable for the fact that it has many variants and was very successful at spreading. It is also notable for its P variant staying at number 1 of many lists of prevalent viruses and worms for two years, with Netsky.D following close behind. Some of its variants deleted other worms, making it a helper. Its creator was also behind the Sasser worm.

BehaviorEdit

Netsky can arrive in an email with six possible spoofed sender lines:

  • Ebay Auctions <responder@ebay.com>
  • Yahoo Auctions <auctions@yahoo.com>
  • Amazon automail <responder@amazon.com>
  • MSN Auctions <auctions@msn.com>
  • QXL Auctions <responder@qxl.com>
  • EBay Auctions <responder@ebay.com>

The subject line reads, "Auction successful!". The message says:

  #----------------- message was sent by automail agent ------------------#
  
  
  Congratulations!


  You were successful in the auction.

  Auction ID       :<3 sets of 4 random numbers>-A
  Product ID       :<3 sets of 4 random numbers>-P

  A detailed description about the product and the bill
  are attached to this mail.
  Please contact the seller immediately.

  Thank you!

The attachment could be one of the following:

  • prod_info_04155.bat
  • prod_info_04650.bat
  • prod_info_33462.cmd
  • prod_info_33967.cmd
  • prod_info_42313.pif
  • prod_info_42314.pif
  • prod_info_42818.pif
  • prod_info_49146.exe
  • prod_info_49541.exe
  • prod_info_54234.scr
  • prod_info_54235.scr
  • prod_info_54739.scr
  • prod_info_33325.txt.exe.zip
  • prod_info_33543.rtf.scr.zip
  • prod_info_34157.htm.exe.zip
  • prod_info_43631.doc.exe.zip
  • prod_info_43859.htm.scr.zip
  • prod_info_47532.doc.scr.zip
  • prod_info_54433.doc.exe.zip
  • prod_info_55761.rtf.exe.zip
  • prod_info_56474.txt.exe.zip
  • prod_info_56780.doc.exe.zip
  • prod_info_65642.rtf.scr.zip
  • prod_info_77256.txt.scr.zip
  • prod_info_87968.htm.scr.zip

When executed, the worm creates a mutex that keeps more than one copy of the worm from running named "AdmMoodownJKIS003". It copies itself to the Windows folder as Services.exe.

Netsky then adds the registry value "Service = (Windows folder)\services.exe -serv" to the Local Machine run key, which causes the worm to run when windows starts. It also deletes the values Taskmon and Explorer from that registry key, as well as the Current user version of that key (These values are set there by the Mydoom worm). It also deletes another Mydoom-created key. It also deletes KasperskyAV and System from the local machine run key.

It then copies itself to the Windows or WINNT folder as one of the filenames used for the attachment in a .zip file (from prod_info_55761.rtf.exe.zip to prod_info_54433.doc.exe.zip).

Netsky searches drives C through Z for folders with names containing "share" or "sharing" and copies itself as one of the following names:

  • doom2.doc.pif
  • sex sex sex sex.doc.exe
  • rfc compilation.doc.exe
  • dictionary.doc.exe
  • win longhorn.doc.exe
  • e.book.doc.exe
  • programming basics.doc.exe
  • how to hack.doc.exe
  • max payne 2.crack.exe
  • e-book.archive.doc.exe
  • virii.scr
  • nero.7.exe
  • eminem - lick my pussy.mp3.pif
  • cool screensaver.scr
  • serial.txt.exe
  • office_crack.exe
  • hardcore porn.jpg.exe
  • angels.pif
  • porno.scr
  • matrix.scr
  • photoshop 9 crack.exe
  • strippoker.exe
  • dolly_buster.jpg.pif
  • winxp_crack.exe

The worm searches for email addresses in files with the following extensions:

  • .msg
  • .oft
  • .sht
  • .dbx
  • .tbb
  • .adb
  • .doc
  • .wab
  • .asp
  • .uin
  • .rtf
  • .vbs
  • .html
  • .htm
  • .pl
  • .php
  • .txt
  • .eml

The worm has its own SMTP engine to mass-mail itself.

VariantsEdit

The very successful Netsky.P variant has the ability to infect a computer from the preview pane, similar to Nimda and it deletes registry keys that Mydoom and its variants use to infect and deliver their payloads.

EffectsEdit

Netsky was the most popular worm for over 2 years. The original and most if not all of its variants have a beneficial, rather than destructive payload. A British security consultant company, mi2g claimed that the worm caused between $25.6 billion and $31.3 billion in damage (this company has been widely criticised for its ridiculously high estimates and scare-mongering).

Other FactsEdit

The fact that Netsky has been so successful at spreading is somewhat of a mystery to many anti-malware experts, because of its minimalist social engineering tactics.

Jaschan said that he was trying to develop a worm that would delete other worms, notably Mydoom and Beagle. As some variants of Netsky delete registry key values and other things that those worms use to perform their malicious activities, this is not an outrageous claim. Netsky started a "Worm War" between itself and Mydoom and Beagle. Netsky.J was to be the last version of Netsky, but other variants did follow.

Netsky and its variants were at the top of the virus/worm charts for two years. When it began spreading in Spring of 2004, it had tough competition from Beagle, with Mydoom close behind. It was finally beaten by Warezov, also known as Stration, in October of 2006.

SourcesEdit

Yana Liu. Symantec.com, W32.Netsky@mm

INQUIRER newsdesk. The Inquirer Net's top malware targets Vista. 2006.11.30

John Leyden. The Register, "Netsky Tops Virus Charts by a Country Mile". 2004.04.01

-. -, NetSky author signs off. 2003.03.10

-. -, "German Police Arrest Sasser Worm Suspect". 2004.05.10

David Berlind. ZDNet, Ballmer seeing last 12 months through rose-colored glasses?. 2004.10.04

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.