Effects
Netsky.D carries out the following actions:
It emits a sound that consists of random tones through the internal speaker when the system date is March 2, 2004, between 6:00 a.m. and 8:59 a.m.
To hear the sound, click
here.
Note: on March 11, 2004, a new variant of this worm was detected by PandaLabs. This new variant creates four threads to send itself via e-mail instead of eight, and it was compiled with different options, as its code slightly differs from the original one.
Infection strategy
Netsky.D creates the file WINLOGON.EXE in the Windows directory. This file is a copy of the worm.
Netsky.D creates the following entries in the Windows Registry:
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
ICQ Net = %windir%\ winlogon.exe –stealth - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
ICQ Net = %windir%\ winlogon.exe –stealth
where %windir% is the Windows directory.
If it does not succeed in creating the first entry, it attempts to create the second one.
By creating any of these entries, Netsky.D ensures that it is run whenever Windows is started.
Netsky.D deletes the following entries in the Windows Registry, if present:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Taskmon - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Explorer - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Explorer - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
KasperskyAV - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
KasperskyAV - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
System - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
System - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
msgsvr32 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
DELETE ME - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
d3dupdate.exe - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
au.exe - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
service - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
OLE - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Sentry - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer
PINF - HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Services
WksPatch - HKEY_CURRENT_USER\ Windows Services Host
- HKEY_LOCAL_MACHINE\ Windows Services Host
- HKEY_CLASSES_ROOT\ CLSID\ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ InProcServer32
These entries belong to several worms, including Mydoom.A, Mydoom.B and Mimail.T.
Means of transmission
Netsky.D spreads via e-mail. It follows the routine below:
It reaches the computer in an e-mail message with variable characteristics:
Sender:
Netsky.D spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click
here.
Subject: one of the following:
Re: Approved
Re: Details
Re: Document
Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your websiteMessage: one of the following:
Here is the file.
Please have a look at the attached file.
Please read the attached file.
See the attached file for details.
Your document is attached.
Your file is attached.Attachments: one of the following:
ALL_DOCUMENT.PIF
APPLICATION.PIF
DOCUMENT.PIF
DOCUMENT_4351.PIF
DOCUMENT_EXCEL.PIF
DOCUMENT_FULL.PIF
DOCUMENT_WORD.PIF
MESSAGE_DETAILS.PIF
MESSAGE_PART2.PIF
MP3MUSIC.PIF
MY_DETAILS.PIF
YOUR_ARCHIVE.PIF
YOUR_BILL.PIF
YOUR_DETAILS.PIF
YOUR_DOCUMENT.PIF
YOUR_FILE.PIF
YOUR_LETTER.PIF
YOUR_PICTURE.PIF
YOUR_PRODUCT.PIF
YOUR_TEXT.PIF
YOUR_WEBSITE.PIF
YOURS.PIF- The computer is affected when the attached file is run.
- Netsky.D searches for e-mail addresses in files that have the following extensions:
ADB, ASP, CGI, DBX, DHTM, DOC, EML, HTM, HTML, MSG, OFT, PHP, PL, RTF, SHT, SHTM, TBB, TXT, UIN, VBS and WAB. - Netsky.D sends itself out to all the addresses it has gathered, using its own SMTP engine. It creates eight simultaneous threads in order to do so.
However, it does not send itself to the addresses that contain any of the following text strings:
abuse, antivi, aspersky, avp, cafee, fbi, f-pro, f-secur, icrosoft, itdefender, messagelabs, orman, orton, skynet, spam and ymantec. - Netsky.D contains a list of IP addresses belonging to DNS servers, in order to solve the domains of the mail servers of the recipients to which it is sent. Though the list has twenty-five items, two of them are repeated:
145.253.2.171, 151.189.13.35, 193.141.40.42, 193.189.244.205, 193.193.144.12, 193.193.158.10, 194.25.2.129, 194.25.2.129, 194.25.2.130, 194.25.2.131, 194.25.2.132, 194.25.2.133, 194.25.2.134, 195.185.185.195, 195.185.185.195,195.20.224.234, 212.185.252.136, 212.185.252.73, 212.185.253.70, 212.44.160.8, 212.7.128.162, 212.7.128.165, 213.191.74.19, 217.5.97.137, 62.155.255.16.
Further Details
Netsky.D is written in the programming language Visual C++ v6.0. The worm is 17,424 bytes in size and it is compressed with Petite v2.2.
Netsky.D creates the mutex [SkyNet.cz]SystemsMutex, in order not to be run several times simultaneously.
Netsky.D contains the following text in its code, although it is not shown at any moment:
be aware! Skynet.cz - -->AntiHacker Crew<--
>