FRISK Software International


Summary of W32/Netsky.P@mm
Alias:I-Worm.Moodown.p, Win32.Netsky.P, W32/Netsky.p@MM
Discovered: 21 Mar 2004
Definition files: 21 Mar 2004
Risk Level: High
Distribution:High
 
Jump to:
Brief description
Technical description

Brief Description
Netsky.P@mm is UPX packed and spreads by sending itself as a attachment using email, the attachment is a FSG packed file that drops the UPX packed Netsky.P@mm. It also tries to propagate through p2p services such as kazaa and morpheus to get more distribution. To avoid being detected and/or removed, it disables certain services and programs by impeding them from starting up at reboot.


Technical Description
The worm consists of two parts, the dropper and the email worm itself. The droppers part in this is to conceal the actual virus, or at least try to. It attempts to do that by keeping the worm code crypted in the resource section, when executed the dropper loads the crypted worm code file, decrypts it and puts it in the windows directory, the worm is dropped as a DLL, to ensure it goes to the right directory on every windows platform it uses the return value from the API function GetWindowsDirectoryA. It is vital for the worm file to be in the windows directory because the dropper uses the LoadLibraryA function to put the worm code in memory and then calls a certain function from the code to execute the worm.

After the worm code has been initiated it does the following things.

It creates value called "Norton Antivirus AV" in the following registry key and it points to the worm file that the dropper dropped in the windows directory under the name FVProtect.exe.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

It creates a Mutex, undier the name "_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_" ,to know if it is already running. If so it terminates the current process.

Creates several files in the windows directory, both ready templates and copies of the worm.

    'zip3.tmp'
    'details.txt . pif'
    'zip2.tmp'
    'data.rtf .scr'
    'zip1.tmp'
    'document.txt .exe'
    'base64.tmp'

Double extensions are used for some of those files, the purpose is to fool the user to click on it thinking that it is not an executable.

Then it creates a thread that skims drives from drive C: to Z:, skipping CD-Roms drive. It uses crude method to locate certain directories names, if it encounters any of those below it will copy itself into those directories

    my shared folder
    kazaa
    mule
    donkey
    morpheus
    lime
    bear
    icq
    shar
    upload
    http
    htdocs
    ftp
    download

It uses one of those names for the copied files. It still uses double extensions for many of the files to increase the likelihood of getting executed by unsuspecting user.
    Kazaa Lite 4.0 new.exe
    Britney Spears Sexy archive.doc.exe
    Kazaa new.exe
    Britney Spears porn.jpg.exe
    Harry Potter all e.book.doc.exe
    Britney sex xxx.jpg.exe
    Harry Potter 1-6 book.txt.exe
    Britney Spears blowjob.jpg.exe
    Harry Potter e book.doc.exe
    Britney Spears cumshot.jpg.exe
    Harry Potter.doc.exe
    Britney Spears fuck.jpg.exe
    Harry Potter game.exe
    Britney Spears.jpg.exe
    Harry Potter 5.mpg.exe
    Britney Spears and Eminem porn.jpg.exe
    Matrix.mpg.exe
    Britney Spears Song text archive.doc.exe
    Britney Spears full album.mp3.exe
    Eminem.mp3.exe
    Britney Spears.mp3.exe
    Eminem Song text archive.doc.exe
    Eminem Sexy archive.doc.exe
    Eminem full album.mp3.exe
    Eminem Spears porn.jpg.exe
    Ringtones.mp3.exe
    Eminem sex xxx.jpg.exe
    Ringtones.doc.exe
    Eminem blowjob.jpg.exe
    Altkins Diet.doc.exe
    Eminem Poster.jpg.exe
    American Idol.doc.exe
    Cloning.doc.exe
    Saddam Hussein.jpg.exe
    Arnold Schwarzenegger.jpg.exe
    Windows 2003 crack.exe
    Windows XP crack.exe
    Adobe Photoshop 10 crack.exe
    Microsoft WinXP Crack full.exe
    Teen Porn 15.jpg.pif
    Adobe Premiere 10.exe
    Adobe Photoshop 10 full.exe
    Best Matrix Screensaver new.scr
    Porno Screensaver britney.scr
    Dark Angels new.pif
    XXX hardcore pics.jpg.exe
    Microsoft Office 2003 Crack best.exe
    Serials edition.txt.exe
    Screensaver2.scr
    Full album all.mp3.pif
    Ahead Nero 8.exe
    netsky source code.scr
    E-Book Archive2.rtf.exe
    Doom 3 release 2.exe
    How to hack new.doc.exe
    Learn Programming 2004.doc.exe
    WinXP eBook newest.doc.exe
    Win Longhorn re.exe
    Dictionary English 2004 - France.doc.exe
    RFC compilation.doc.exe
    1001 Sex and more.rtf.exe
    3D Studio Max 6 3dsmax.exe
    Keygen 4 all new.exe
    Windows 2000 Sourcecode.doc.exe
    Norton Antivirus 2005 beta.exe
    Gimp 1.8 Full with Key.exe
    Partitionsmagic 10 beta.exe
    Star Office 9.exe
    Magix Video Deluxe 5 beta.exe
    Clone DVD 6.exe
    MS Service Pack 6.exe
    ACDSee 10.exe
    Visual Studio Net Crack all.exe
    Cracks & Warez Archiv.exe
    WinAmp 13 full.exe
    DivX 8.0 final.exe
    Opera 11.exe
    Internet Explorer 9 setup.exe
    Smashing the stack full.rtf.exe
    Ulead Keygen 2004.exe
    Lightwave 9 Update.exe
    The Sims 4 beta.exe

While skimming the drive it also searches for files with the following extensions and harvests email addresses from those files to use for mass-mailing.
    .xml
    .wsh
    .jsp
    .msg
    .oft
    .sht
    .dbx
    .tbb
    .adb
    .dhtm
    .cgi
    .shtm
    .uin
    .rtf
    .vbs
    .doc
    .wab
    .asp
    .php
    .txt
    .eml
    .html
    .htm

The mailing routine does not send messages to addresses that include the some of the words below, the reason for this was probably delaying detection of the worm.

@microsof, @antivi, @symantec, @spam, @avp, @f-secur, @bitdefender, @norman, @mcafee, @kaspersky, @f-pro, @norton, @fbi, buse@, @messagel, @skynet, @pandasof, @freeav, @sophos, @antivir, @viruslis, noreply@, spam@, reports@

Here is the list for possible e-mail subjects.
    Re: Encrypted Mail
    Re: Extended Mail
    Re: Status
    Re: Notify
    Re: SMTP Server
    Re: Mail Server
    Re: Delivery Server
    Re: Bad Request
    Re: Failure
    Re: Thank you for delivery
    Re: Test
    Re: Administration
    Re: Message Error
    Re: Error
    Re: Extended Mail System
    Re: Secure SMTP Message
    Re: Protected Mail Request
    Re: Protected Mail System
    Re: Protected Mail Delivery
    Re: Secure delivery
    Re: Delivery Protection
    Re: Mail Authentification
    Re: Virus Sample
    Re: Submit a Virus Sample
    Re: Sex pictures
    Re: A!p$ghsa
    Re: Its me
    Re: Question
    Re: Request
    Internet Provider Abuse
    Is that your password?
    Administrator
    Spam
    Mail Authentication
    You cannot do that!
    Re: Your document
    Error
    I cannot forget you!
    I cannot believe that.
    Stolen document
    Your day

Note that the subjects below can contain "Re: " or "Re: Re: " infront of them.
    hi
    hello
    thanks!
    approved
    corrected
    patched
    improved
    Notice again
    important
    read it immediately

The words "my", "approved" and "important" are randomly put in front of the following strings for the subject line, those strings can also be used in the body of the e-mail.
    document
    file
    details
    information
    letter
    product
    website
    application
    screensaver
    bill
    word document
    excel document
    data
    message
    text
    document_all

The body can contain one of the following sentences.
    Authentication required.
    Bad Gateway: The message has been attached.
    Delivered message is attached.
    You have downloaded these illegal cracks?.
    Encrypted message is available.
    ESMTP [Secure Mail System #334]: Secure message is attached
    First part of the secure mail is available.
    Follow the instructions to read the message.
    For further details see the attachment.
    For more details see the attachment.
    Do not visit this illegal websites!
    Are you a spammer? (I found your email on a spammer website!?!)
    Forwarded message is available.
    Thanks!
    I have attached it to this mail.
    Here is it!
    I have attached your document.
    I have received your document. The corrected document is attached.
    New message is available.
    Now a new message is available.
    Partial message is available.
    Please authenticate the secure message.
    Please confirm my request.
    Please confirm the document.
    Please read the attached file!
    Please read the attachment to get the message.
    Please read the document.
    Please read the important document.
    Please see the attached file for details.
    Protected Mail System Test.
    Protected message is attached.
    Protected message is available.
    Rquested file.
    Secure Mail System Beta Test.
    See the file.
    SMTP: Please confirm the attached message.
    Waiting for a Response. Please read the attachment.
    Waiting for authentification.
    You got a new message.
    You have received an extended message. Please read the instructions.
    Your details.
    Your document is attached to this mail.
    Your document is attached.
    Your document.
    Your file is attached.
    You have written a very good text, excellent, good work!
    Please r564g!he4a56a3haafdogu#mfn3o
    Your requested mail has been attached.
    The sample file you sent contains a new virus version of buppa.k. Please update your virus scanner with the attached dat file.
    The sample file you sent contains a new virus version of mydoom.j. Please clean your system with the attached signature.
    Message has been sent as a binary attachment
    The file is protected with the password ghj001.
    I have attached your file. Your password is jkl44563.
    I noticed that you have visited illegal websites.
    My favourite page.
    your big love, ;-)
    Here is my phone number.
    Congratulations! your best friend.
    I found this document about you.
    Your mail account is expired. See the details to reactivate it.
    Try this game ;-)
    I hope the patch works.
    Your mail account has been closed. For further details see the document.
    Please answer quickly!
    Please confirm!
    Thank you for your request, your details are attached!
    You were registered to the pay system. For more details see the attachment.
    Let'us be short: you have no experience in writing letters!!!
    See the ghg5%&6gfz65!4Hf55d!46gfgf
    Please r564g!he4a56a3haafdogu#mfn3o
    do0i4grjj40j09gjijgpndT
    0i09u5rug08r89589gjrg

And the following fake e-mail scanning reports are sometimes attached at the end of the virus body.
    +++ Attachment: No Virus found
    +++ MessageLabs AntiVirus - www.messagelabs.com


    +++ Attachment: No Virus found
    +++ Bitdefender AntiVirus - www.bitdefender.com


    +++ Attachment: No Virus found
    +++ MC-Afee AntiVirus - www.mcafee.com


    +++ Attachment: No Virus found
    +++ Kaspersky AntiVirus - www.kaspersky.com


    +++ Attachment: No Virus found
    +++ Panda AntiVirus - www.pandasoftware.com


    ++++ Attachment: No Virus found
    ++++ Norman AntiVirus - www.norman.com',0


    ++++ Attachment: No Virus found
    ++++ F-Secure AntiVirus - www.f-secure.com


    ++++ Attachment: No Virus found
    ++++ Norton AntiVirus - www.symantec.de

The attachment can be one of the following.
    about_you
    abuselist
    all_doc01
    all_in_all
    approved
    archive
    corrected
    d4334938
    data
    data02
    data20
    datfiles
    detail3
    details
    doc01
    document
    document_all02c
    document01
    document04
    document43
    game_xxo
    improved
    letter
    letter32
    list
    mails9
    msg
    my_details
    my_list01
    my_numbers
    part6
    pgp_sess01
    Postcard
    priv
    private_01
    pwd02
    readme
    signature
    summary2004
    websites03
    word_doc
    www.myx4free
    your_doc
    your_document

The attachments can have dual extensions separated by numerous spaces and might look something like the example below. The first extension can be either ".doc" or ".txt". And the second extension can be one of the following ".zip",".scr",".exe",".pif".


Ragnar Gisli - Senior Virus Researcher
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is