FRISK Software International


Summary of W32/Netsky.B@mm
Alias:I-worm.Moodown.b
Length: 22KB
Discovered: 18 Feb 2004
Definition files: 18 Feb 2004
Risk Level: High
Distribution:High
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
This is a mass mailer that uses its own mail engine; it attempts to improve spreading by copying itself to directories called "Share" or "Sharing". The attachments can be zip files or have double extensions.


Technical Description
This is a mass mailer that uses its own mail engine; it attempts to improve spreading by copying itself to directories called "Share" or "Sharing". The attachments can be zip files or have double extensions.

When executed it checks if it is already resident in memory if so it will terminate else it displays a dialog box, see below.



After the user closes that dialog box the worm creates a copy of itself in the windows directory named services.exe. It puts itself in the registry so it gets executed on every startup. The worm achieves that by adding a value called service in the following key.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\


It also makes an attempt to disable certain software by removing the following values from the registry.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\KasperskyAv
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\KasperskyAv
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Explorer
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Explorer
    HKEY_CLASSES_ROOTCLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\Taskmon


To create forged emails it harvests email addresses from documents that have the following extension, it sends itself to found emails and they are also used to spoof the email sender.

    .msg .oft .sht .dbx .tbb .adb .doc .wab .asp .uin .rtf .vbs .html .htm .pl .php .txt .eml


The message in the mail body is selected by random from the strings below.

    something is fool
    something is going wrong
    you are bad you try to steal
    you feel the same
    you earn money
    thats wrong
    why?
    take it easy
    reply
    do you?
    that's funny
    here, the cheats
    here, the introduction
    here, the serials
    from the chatter
    about me
    information about you
    something is going wrong!
    stuff about you?
    greetings
    see you
    here it is
    that is bad
    yes, really?
    i found this document about you your name is wrong
    i hope it is not true!
    kill the writer of this document!
    something about you!
    I have your password!
    you are a bad writer
    is that from you?
    i wait for a reply!
    is that your account?
    is that your name?
    is that true?
    here
    my hero
    read it immediately!
    here is the document.
    read the details.
    i'm waiting
    ok what does it mean?
    anything ok?


And the subject can be one of the following words/sentences:

    unknown
    fake
    stolen
    information
    warning
    something for you
    read it immediately
    hello
    hi


The name of the attachments is selected from the list below. And by random it uses double extension, for example ranking.doc.pif. It can also be a zip archive.

    misc
    party
    disco
    part2
    mail2
    object
    ranking
    dinner
    release
    final
    location
    jokes
    friend
    website
    mails
    story
    found
    nomoney
    aboutyou
    shower
    ps
    topseller
    product
    swimmingpool
    bill
    note
    concert
    textfile
    posting stuff
    me
    attachment
    details
    creditcard
    message
    talk
    doc
    msg
    document


The worm tries to improve its spreading by copying itself to every directory called "Share" and "Sharing".
It goes through drive A to Z on the local machine and searches for those directories. If found, it copies itself into those directories using the following file names.

    winxp_crack.exe
    dolly_buster.jpg.pif
    strippoker.exe
    photoshop 9 crack.exe
    matrix.scr
    porno.scr
    angelis.pif
    hardcore porn.jpg.exe
    office_crack.exe
    serial.txt.exe
    cool screensaver.scr
    eminem - lick my pussy.mp3.pif
    nero.7.exe
    virii.scr
    e-book.archive.doc.exe
    max payne 2.crack.exe
    how to hack.doc.exe
    programming basics.doc.exe
    e.book.doc.exe
    win longhorn.doc.exe
    dictionary.doc.exe
    rfc compilation.doc.exe
    sex sex sex sex.doc.exe
    doom2.doc.pif


Removal Instructions

If you run the OnDemand Scanner regularly it can be used to disinfect but some viruses, such as Netsky.B@mm, cannot be disinfected in Windows. This is caused by the fact that the virus infects files that Windows uses while running. Thus F-Prot Antivirus cannot access the files to disinfect and it is necessary to disinfect using the DOS scanner (for Windows 95/98/ME) or the Command-line scanner (for Windows NT/2000/XP).

For general disinfection help click here.

After disinfection remove this value from the registry.

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "service"="C:\\WINDOWS\\services.exe -serv"

Guidelines on Safe Computing
  • Make sure you always have the latest version of F-Prot Antivirus installed on your computer and update the virus signature files regularly:


  • Be extremely careful when opening e-mail from anyone you do not know. Attachments are especially dangerous. Never run an attachment unless you know exactly what it is, even if it appears to have been sent to you by someone you know. Most worms have the ability to falsify the "From" address.


  • Make sure that your operating system is up-to-date. If you are using Windows, use Windows Automatic Updates and download the service packs when they are released. For more information on keeping Windows up-to-date, please visit Microsoft's Windows Update web site.


  • If you are using Internet Explorer / Outlook Express or Office / Outlook, make sure that you always have the latest versions. Old versions may contain security holes that are used by virus writers to access your computer. Please visit Microsoft's Windows Update web site to update Internet Explorer and Outlook Express and Microsoft's Office Update web site to update Office and Outlook.


  • Use a firewall. When you are browsing the Internet, the firewall creates a shield between your computer and possible malicious content on the Internet. For more information click here.


  • Scan all removable media (CD-ROMs, floppy disks, USB keys, external hard drives etc.) before you open or run any content on it.


  • Scan all files that you receive through the IRC, MSN, ICQ, Kazaa and other such on-line services.


  • Use software that detects ad-ware and spyware. For more information click here.

Ragnar Gisli - Senior virus researcher FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is