Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Netsky.P

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Netsky.P deletes the entries that belong to several worms, including Mydoom.A, Mydoom.B, Mimail.T and several variants of Bagle.

Infection strategy 

Netsky.P creates the following files in the Windows directory:

  • FVPROTECT.EXE. This file is a copy of the worm.
  • USERCONFIG9X.DLL. This file is a DLL (Dynamic Link Library), which provides the functionalities of the worm.
  • ZIP1.TMP, ZIP2.TMP and ZIP3.TMP. These files in MIME format contain a copy of the worm compressed in ZIP format.
  • ZIPPED.TMP. This file compressed in ZIP format contains a copy of the worm.
  • BASE64.TMP. This file in MIME format contains a copy of the worm.

Netsky.P creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    Norton Antivirus AV = %windir%\ FVProtect.exe
    where %windir% is the Windows directory.
    By creating this entry, Netsky.P ensures that it is run whenever Windows is started.

Netsky.P deletes the following entries in the Windows Registry, if present:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Taskmon
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Taskmon
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Explorer
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Explorer
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    System
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
    System
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    msgsvr32
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    DELETE ME
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    d3dupdate.exe
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    au.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    winupd.exe
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    winupd.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    direct.exe
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    direct.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    jijbl
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Video
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
    Video
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    gouday.exe
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    rate.exe
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    sysmon.exe
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    srate.exe
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    ssate.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    service
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    OLE
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Sentry
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer
    PINF
  • HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Services\ WksPatch
  • HKEY_CURRENT_USER\ Windows Services Host
  • HKEY_LOCAL_MACHINE\ Windows Services Host
  • HKEY_CLASSES_ROOT\ CLSID\ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ InProcServer32
    These entries belong to certain worms, such as Mydoom.A, Mydoom.B, Mimail.T and several variants of  Bagle.

Means of transmission 

Netsky.P spreads via e-mail and through peer-to-peer (P2P) file sharing programs.

1.- Transmission via e-mail.

  • It reaches the computer in an e-mail message with extremely variable characteristics. Netsky.P uses one out of two possible methods, which have different options each:

    Sender:
    Regardless of the method used, Netsky.P spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.

    Method A:

    Subject:
    Option 1: the worm selects one of the following hard-coded items:
    Re: Administration
    Re: Bad Request
    Re: Delivery Protection
    Re: Delivery Server
    Re: Encrypted Mail
    Re: Error
    Re: Extended Mail
    Re: Extended Mail System
    Re: Failure
    Re: Mail Authentification
    Re: Mail Server
    Re: Message Error
    Re: Notify
    Re: Protected Mail Delivery
    Re: Protected Mail Request
    Re: Protected Mail System
    Re: Secure delivery
    Re: Secure SMTP Message
    Re: SMTP Server
    Re: Status
    Re: Test
    Re: Thank you for delivery
    Option 2: the subject is a compound of words from some of the following lists:
    List 1: Re:, Re: Re:
    List 2: approved, important, my, your
    List 3: application, approved, bill, corrected, data, details, document, document_all, excel document, file, hello, here, hi, important, improved, information, letter, message, patched, product, read it immediately, screensaver, text, thanks!, website, word document
    For example: approved, Re: my details, Re: Re: important excel document, your information, etc.

    Message:
    Authentication required.
    I have attached your document.
    I have received your document. The corrected document is attached.
    Please confirm the document.
    Please read the attached file!
    Please read the document.
    Please read the important document.
    Please see the attached file for details.
    Requested file.
    See the file.
    You have received an extended message. Please read the instructions.
    Your details.
    Your document is attached to this mail.
    Your document is attached.
    Your document is attached.
    Your document.
    Your file is attached.
    Additionally, the message could include one of the following final texts:
    +++ Attachment: No Virus found
    +++ MessageLabs AntiVirus - www.messagelabs.com

    +++ Attachment: No Virus found
    +++ Bitdefender AntiVirus - www.bitdefender.com

    +++ Attachment: No Virus found
    +++ MC-Afee AntiVirus - www.mcafee.com

    +++ Attachment: No Virus found
    +++ Kaspersky AntiVirus - www.kaspersky.com

    +++ Attachment: No Virus found
    +++ Panda AntiVirus - www.pandasoftware.com

    ++++ Attachment: No Virus found
    ++++ Norman AntiVirus - www.norman.com

    ++++ Attachment: No Virus found
    ++++ F-Secure AntiVirus - www.f-secure.com

    ++++ Attachment: No Virus found
    ++++ Norton AntiVirus - www.symantec.de

    Attachments: one of the following:
    message
    msg
    details
    data
    document
    readme
    The extension of these files can be EXE, SCR or PIF. In some cases, there is a second extension, which can be DOC or TXT. In those cases, several blank spaces are included between the first and the second extension. Additionally, the attached file could be compressed in a ZIP format.


    Method B:

    It consists of thirty cases, each of them with several options.
    The attached file is variable, and it can have a single or double extension (in this particular case, several blank spaces are included between them). Additionally, the attached file could be compressed in a ZIP format.

    Case 1:
    Subject: one of the following:
    Protected Mail System
    Mail Authentication

    Message: one of the following:
    Encrypted message is available.
    Protected message is attached.

    Attachments: it has one of the following file names:
    DOCUMENT, ENCRYPTED_MSG01, MESSAGE, MSG, PGP_SESS01

    Case 2:
    Subject: one of the following:
    Re: Approved document
    Re: Your document

    Message: one of the following:
    Please read the attached file.
    Your document is attached.

    Attachments: it has one of the following file names:
    ABOUT_YOU, ALL_DOC01, APPROVED, CORRECTED, DOCUMENT, DOCUMENT04, FILE, IMPROVED, MSG, YOUR_DOCUMENT.

    Case 3:
    Subject: one of the following:
    Re: Is that your document?
    Is that your password?

    Message: one of the following:
    Can you confirm it?
    I have attached it to this mail.

    Attachments: it has one of the following file names:
    DOCUMENT, PWD02, DOCUMENT01, PART6, PRIVATE_01

    Case 4:
    Subject: one of the following:
    Mail Delivery (failure)
    Error

    Message: one of the following:
    Binary message is available.
    Message has been sent as a binary attachment.

    Attachments: it has one of the following file names:
    DATA, EMAIL, LETTER, MESSAGE, MSG

    Case 5:
    Subject: one of the following:
    Hello
    Hi

    Message: one of the following:
    Try this game ;-)
    I hope the patch works.

    Attachments: it has one of the following file names:
    APPLICATION, GAME, PATCH3425, SOFTWARE

    Case 6:
    Subject: one of the following:
    Private document
    Stolen document

    Message: one of the following:
    I found this document about you.
    I cannot believe that.

    Attachments: it has one of the following file names:
    ABOUT_YOU, DOCUMENT342, YOUR_DOCUMENT

    Case 7:
    Subject: one of the following:
    Re: Hi
    Re: Its me

    Message: one of the following:
    I have attached your file. Your passwor is jkl44563.
    The file is protected with the password ghj001.

    Attachments: it has one of the following file names:
    DATA20, DOCUMENT, DOCUMENT43, LETTER32, MAILS9, MY_DETAILS, PRIV, YOUR_DOC

    For further information about the rest of the cases, click here.

  • The computer is affected when the attached file is run.

  • Netsky.P searches for e-mail addresses in the files that have the following extensions XML, WSH, JSP, DHTM, CGI, SHTM, MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML.

  • Netsky.P sends itself out to all the addresses it has gathered, using its own SMTP engine.
  • However, it does not send itself to the addresses that contain any of the following text strings: @microsof, @antivi, @symantec, @spam, @avp, @f-secur, @bitdefender, @norman, @mcafee, @kaspersky, @f-pro, @norton, @fbi, abuse@, @messagel, @skynet, @pandasof, @freeav, @sophos, ntivir, @viruslis, noreply@, spam@, reports@.

2.- Transmission through P2P file sharing programs.

Netsky.P follows the routine below:

  • It creates copies of itself in the directories that contain any of the following text strings: my shared folder, download, ftp, htdocs, http, upload, shar, icq, bear, lime, morpheus, donkey, mule, kazaaor shared files.
    These copies have the following names:
    1001 Sex and more.rtf.exe
    3D Studio Max 6 3dsmax.exe
    ACDSee 10.exe
    Adobe Photoshop 10 crack.exe
    Adobe Photoshop 10 full.exe
    Adobe Premiere 10.exe
    Ahead Nero 8.exe
    Altkins Diet.doc.exe
    American Idol.doc.exe
    Arnold Schwarzenegger.jpg.exe
    Best Matrix Screensaver new.scr
    Britney sex xxx.jpg.exe
    Britney Spears and Eminem porn.jpg.exe
    Britney Spears blowjob.jpg.exe
    Britney Spears cumshot.jpg.exe
    Britney Spears fuck.jpg.exe
    Britney Spears full album.mp3.exe
    Britney Spears porn.jpg.exe
    Britney Spears Sexy archive.doc.exe
    Britney Spears Song text archive.doc.exe
    Britney Spears.jpg.exe
    Britney Spears.mp3.exe
    Clone DVD 6.exe
    Cloning.doc.exe
    Cracks & Warez Archiv.exe
    Dark Angels new.pif
    Dictionary English 2004 - France.doc.exe
    DivX 8.0 final.exe
    Doom 3 release 2.exe
    E-Book Archive2.rtf.exe
    Eminem blowjob.jpg.exe
    Eminem full album.mp3.exe
    Eminem Poster.jpg.exe
    Eminem sex xxx.jpg.exe
    Eminem Sexy archive.doc.exe
    Eminem Song text archive.doc.exe
    Eminem Spears porn.jpg.exe
    Eminem.mp3.exe
    Full album all.mp3.pif
    Gimp 1.8 Full with Key.exe
    Harry Potter 1-6 book.txt.exe
    Harry Potter 5.mpg.exe
    Harry Potter all e.book.doc.exe
    Harry Potter e book.doc.exe
    Harry Potter.doc.exe
    Harry Pottergame.exe
    How tohack new.doc.exe
    Internet Explorer 9 setup.exe
    Kazaa Lite 4.0 new.exe
    Kazaa new.exe
    Keygen 4 all new.exe
    Learn Programming 2004.doc.exe
    Lightwave 9 Update.exe
    Magix VideoDeluxe 5 beta.exe
    Matrix.mpg.exe
    Microsoft Office 2003 Crack best.exe
    Microsoft WinXP Crack full.exe
    MS Service Pack 6.exe
    netsky sourcecode.scr
    Norton Antivirus 2005 beta.exe
    Opera 11.exe
    Partitionsmagic 10 beta.exe
    Porno Screensaver britney.scr
    RFC compilation.doc.exe
    Ringtones.doc.exe
    Ringtones.mp3.exe
    Saddam Hussein.jpg.exe
    Screensaver2.scr
    Serials edition.txt.exe
    Smashing the stack full.rtf.exe
    Star Office 9.exe
    Teen Porn 15.jpg.pif
    The Sims 4 beta.exe
    Ulead Keygen 2004.exe
    Visual Studio Net Crack all.exe
    Win Longhorn re.exe
    WinAmp 13 full.exe
    Windows 2000 Sourcecode.doc.exe
    Windows 2003 crack.exe
    Windows XP crack.exe
    WinXP eBook newest.doc.exe
    XXX hardcore pics.jpg.exe
  • Other users of these programs can remotely access these shared directories and download these files to their computers, thinking that they are computer programs. However, these users will actually download a copy of Netsky.P.
  • When the downloaded file is run, these computers will become affected by Netsky.P.

Further Details  

Netsky.P is written in the programming language Visual C++ v6.0. The worm is 29,568 bytes in size and it is compressed with FSG.

The executable file of Netsky.P creates the mutex called 'D'r'o'p'p'e'd'S'k'y'N'e't', whereas the DLL file creates another called _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_. Each file creates its mutex in order not to be run several times simultaneously.

The executable file contains the following text in its code:

U'l't'i'm'a't'i'v'e 'E'n'c'r'y'p't'e'd 'W'o'r'm'D'r'o'p'p'e'r' 'b'y 'S'k'y'N'e't'.'C'Z' 'C'o'r'p*' 'D'r'o'p'p'e'd'S'k'y'N'e't' 'S'k'y'N'e't'F'i'g'h't's'B'a'c'k

whereas the DLL contains this one:

Bagle, do not delete SkyNet. You fucked bitch! Wanna go into a prison?
We are the only AntiVirus, not Bagle, shut up and take your butterfly! - Message from SkyNet AVTeam Lets join an alli-A-n-C-e-,bagle!

However, these texts are not shown at any moment.