Netsky.P
Threat LevelDamageDistribution

Effects 

Netsky.P deletes the entries that belong to several worms, including Mydoom.A, Mydoom.B, Mimail.T and several variants of Bagle.

Infection strategy 

Netsky.P creates the following files in the Windows directory:

• FVPROTECT.EXE. This file is a copy of the worm.
• USERCONFIG9X.DLL. This file is a DLL (Dynamic Link Library), which provides the functionalities of the worm.
• ZIP1.TMP, ZIP2.TMP and ZIP3.TMP. These files in MIME format contain a copy of the worm compressed in ZIP format.
• ZIPPED.TMP. This file compressed in ZIP format contains a copy of the worm.
• BASE64.TMP. This file in MIME format contains a copy of the worm.

Netsky.P creates the following entry in the Windows Registry:

• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  Norton Antivirus AV = %windir%\ FVProtect.exe
  where %windir% is the Windows directory.
  By creating this entry, Netsky.P ensures that it is run whenever Windows is started.

Netsky.P deletes the following entries in the Windows Registry, if present:

• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  Taskmon
• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  Taskmon
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  Explorer
• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  Explorer
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  System
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
  System
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  msgsvr32
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  DELETE ME
• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  d3dupdate.exe
• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  au.exe
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  winupd.exe
• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  winupd.exe
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  direct.exe
• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  direct.exe
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  jijbl
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  Video
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
  Video
• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  gouday.exe
• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  rate.exe
• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  sysmon.exe
• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  srate.exe
• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  ssate.exe
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  service
• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  OLE
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  Sentry
• HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer
  PINF
• HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Services\ WksPatch
• HKEY_CURRENT_USER\ Windows Services Host
• HKEY_LOCAL_MACHINE\ Windows Services Host
• HKEY_CLASSES_ROOT\ CLSID\ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ InProcServer32
  These entries belong to certain worms, such as Mydoom.A, Mydoom.B, Mimail.T and several variants of  Bagle.

Means of transmission 

Netsky.P spreads via e-mail and through peer-to-peer (P2P) file sharing programs.

1.- Transmission via e-mail.

• It reaches the computer in an e-mail message with extremely variable characteristics. Netsky.P uses one out of two possible methods, which have different options each:
  
  Sender:
  Regardless of the method used, Netsky.P spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.
  
  Method A:
  
  Subject:
  Option 1: the worm selects one of the following hard-coded items:
  Re: Administration
  Re: Bad Request
  Re: Delivery Protection
  Re: Delivery Server
  Re: Encrypted Mail
  Re: Error
  Re: Extended Mail
  Re: Extended Mail System
  Re: Failure
  Re: Mail Authentification
  Re: Mail Server
  Re: Message Error
  Re: Notify
  Re: Protected Mail Delivery
  Re: Protected Mail Request
  Re: Protected Mail System
  Re: Secure delivery
  Re: Secure SMTP Message
  Re: SMTP Server
  Re: Status
  Re: Test
  Re: Thank you for delivery
  Option 2: the subject is a compound of words from some of the following lists:
  List 1: Re:, Re: Re:
  List 2: approved, important, my, your
  List 3: application, approved, bill, corrected, data, details, document, document_all, excel document, file, hello, here, hi, important, improved, information, letter, message, patched, product, read it immediately, screensaver, text, thanks!, website, word document
  For example: approved, Re: my details, Re: Re: important excel document, your information, etc.
  
  Message:
  Authentication required.
  I have attached your document.
  I have received your document. The corrected document is attached.
  Please confirm the document.
  Please read the attached file!
  Please read the document.
  Please read the important document.
  Please see the attached file for details.
  Requested file.
  See the file.
  You have received an extended message. Please read the instructions.
  Your details.
  Your document is attached to this mail.
  Your document is attached.
  Your document is attached.
  Your document.
  Your file is attached.
  Additionally, the message could include one of the following final texts:
  +++ Attachment: No Virus found
  +++ MessageLabs AntiVirus - www.messagelabs.com
  
  +++ Attachment: No Virus found
  +++ Bitdefender AntiVirus - www.bitdefender.com
  
  +++ Attachment: No Virus found
  +++ MC-Afee AntiVirus - www.mcafee.com
  
  +++ Attachment: No Virus found
  +++ Kaspersky AntiVirus - www.kaspersky.com
  
  +++ Attachment: No Virus found
  +++ Panda AntiVirus - www.pandasoftware.com
  
  ++++ Attachment: No Virus found
  ++++ Norman AntiVirus - www.norman.com
  
  ++++ Attachment: No Virus found
  ++++ F-Secure AntiVirus - www.f-secure.com
  
  ++++ Attachment: No Virus found
  ++++ Norton AntiVirus - www.symantec.de

  Attachments: one of the following:
  message
  msg
  details
  data
  document
  readme
  The extension of these files can be EXE, SCR or PIF. In some cases, there is a second extension, which can be DOC or TXT. In those cases, several blank spaces are included between the first and the second extension. Additionally, the attached file could be compressed in a ZIP format.
  
  
  Method B:
  
  It consists of thirty cases, each of them with several options.
  The attached file is variable, and it can have a single or double extension (in this particular case, several blank spaces are included between them). Additionally, the attached file could be compressed in a ZIP format.
  
  

  Case 1:
  Subject: one of the following:
  Protected Mail System
  Mail Authentication
  
  Message: one of the following:
  Encrypted message is available.
  Protected message is attached.
  
  Attachments: it has one of the following file names:
  DOCUMENT, ENCRYPTED_MSG01, MESSAGE, MSG, PGP_SESS01

  Case 2:
  Subject: one of the following:
  Re: Approved document
  Re: Your document
  
  Message: one of the following:
  Please read the attached file.
  Your document is attached.
  
  Attachments: it has one of the following file names:
  ABOUT_YOU, ALL_DOC01, APPROVED, CORRECTED, DOCUMENT, DOCUMENT04, FILE, IMPROVED, MSG, YOUR_DOCUMENT.

  Case 3:
  Subject: one of the following:
  Re: Is that your document?
  Is that your password?
  
  Message: one of the following:
  Can you confirm it?
  I have attached it to this mail.
  
  Attachments: it has one of the following file names:
  DOCUMENT, PWD02, DOCUMENT01, PART6, PRIVATE_01

  Case 4:
  Subject: one of the following:
  Mail Delivery (failure)
  Error
  
  Message: one of the following:
  Binary message is available.
  Message has been sent as a binary attachment.
  
  Attachments: it has one of the following file names:
  DATA, EMAIL, LETTER, MESSAGE, MSG

  Case 5:
  Subject: one of the following:
  Hello
  Hi
  
  Message: one of the following:
  Try this game ;-)
  I hope the patch works.
  
  Attachments: it has one of the following file names:
  APPLICATION, GAME, PATCH3425, SOFTWARE

  Case 6:
  Subject: one of the following:
  Private document
  Stolen document
  
  Message: one of the following:
  I found this document about you.
  I cannot believe that.
  
  Attachments: it has one of the following file names:
  ABOUT_YOU, DOCUMENT342, YOUR_DOCUMENT

  Case 7:
  Subject: one of the following:
  Re: Hi
  Re: Its me
  
  Message: one of the following:
  I have attached your file. Your passwor is jkl44563.
  The file is protected with the password ghj001.
  
  Attachments: it has one of the following file names:
  DATA20, DOCUMENT, DOCUMENT43, LETTER32, MAILS9, MY_DETAILS, PRIV, YOUR_DOC

  For further information about the rest of the cases, click here.

• The computer is affected when the attached file is run.

• Netsky.P searches for e-mail addresses in the files that have the following extensions XML, WSH, JSP, DHTM, CGI, SHTM, MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML.

• Netsky.P sends itself out to all the addresses it has gathered, using its own SMTP engine.
• However, it does not send itself to the addresses that contain any of the following text strings: @microsof, @antivi, @symantec, @spam, @avp, @f-secur, @bitdefender, @norman, @mcafee, @kaspersky, @f-pro, @norton, @fbi, abuse@, @messagel, @skynet, @pandasof, @freeav, @sophos, ntivir, @viruslis, noreply@, spam@, reports@.

2.- Transmission through P2P file sharing programs.

Netsky.P follows the routine below:

• It creates copies of itself in the directories that contain any of the following text strings: my shared folder, download, ftp, htdocs, http, upload, shar, icq, bear, lime, morpheus, donkey, mule, kazaaor shared files.
  These copies have the following names:
  1001 Sex and more.rtf.exe
  3D Studio Max 6 3dsmax.exe
  ACDSee 10.exe
  Adobe Photoshop 10 crack.exe
  Adobe Photoshop 10 full.exe
  Adobe Premiere 10.exe
  Ahead Nero 8.exe
  Altkins Diet.doc.exe
  American Idol.doc.exe
  Arnold Schwarzenegger.jpg.exe
  Best Matrix Screensaver new.scr
  Britney sex xxx.jpg.exe
  Britney Spears and Eminem porn.jpg.exe
  Britney Spears blowjob.jpg.exe
  Britney Spears cumshot.jpg.exe
  Britney Spears fuck.jpg.exe
  Britney Spears full album.mp3.exe
  Britney Spears porn.jpg.exe
  Britney Spears Sexy archive.doc.exe
  Britney Spears Song text archive.doc.exe
  Britney Spears.jpg.exe
  Britney Spears.mp3.exe
  Clone DVD 6.exe
  Cloning.doc.exe
  Cracks & Warez Archiv.exe
  Dark Angels new.pif
  Dictionary English 2004 - France.doc.exe
  DivX 8.0 final.exe
  Doom 3 release 2.exe
  E-Book Archive2.rtf.exe
  Eminem blowjob.jpg.exe
  Eminem full album.mp3.exe
  Eminem Poster.jpg.exe
  Eminem sex xxx.jpg.exe
  Eminem Sexy archive.doc.exe
  Eminem Song text archive.doc.exe
  Eminem Spears porn.jpg.exe
  Eminem.mp3.exe
  Full album all.mp3.pif
  Gimp 1.8 Full with Key.exe
  Harry Potter 1-6 book.txt.exe
  Harry Potter 5.mpg.exe
  Harry Potter all e.book.doc.exe
  Harry Potter e book.doc.exe
  Harry Potter.doc.exe
  Harry Pottergame.exe
  How tohack new.doc.exe
  Internet Explorer 9 setup.exe
  Kazaa Lite 4.0 new.exe
  Kazaa new.exe
  Keygen 4 all new.exe
  Learn Programming 2004.doc.exe
  Lightwave 9 Update.exe
  Magix VideoDeluxe 5 beta.exe
  Matrix.mpg.exe
  Microsoft Office 2003 Crack best.exe
  Microsoft WinXP Crack full.exe
  MS Service Pack 6.exe
  netsky sourcecode.scr
  Norton Antivirus 2005 beta.exe
  Opera 11.exe
  Partitionsmagic 10 beta.exe
  Porno Screensaver britney.scr
  RFC compilation.doc.exe
  Ringtones.doc.exe
  Ringtones.mp3.exe
  Saddam Hussein.jpg.exe
  Screensaver2.scr
  Serials edition.txt.exe
  Smashing the stack full.rtf.exe
  Star Office 9.exe
  Teen Porn 15.jpg.pif
  The Sims 4 beta.exe
  Ulead Keygen 2004.exe
  Visual Studio Net Crack all.exe
  Win Longhorn re.exe
  WinAmp 13 full.exe
  Windows 2000 Sourcecode.doc.exe
  Windows 2003 crack.exe
  Windows XP crack.exe
  WinXP eBook newest.doc.exe
  XXX hardcore pics.jpg.exe
• Other users of these programs can remotely access these shared directories and download these files to their computers, thinking that they are computer programs. However, these users will actually download a copy of Netsky.P.
• When the downloaded file is run, these computers will become affected by Netsky.P.

Further Details  

Netsky.P is written in the programming language Visual C++ v6.0. The worm is 29,568 bytes in size and it is compressed with FSG.

The executable file of Netsky.P creates the mutex called 'D'r'o'p'p'e'd'S'k'y'N'e't', whereas the DLL file creates another called _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_. Each file creates its mutex in order not to be run several times simultaneously.

The executable file contains the following text in its code:

U'l't'i'm'a't'i'v'e 'E'n'c'r'y'p't'e'd 'W'o'r'm'D'r'o'p'p'e'r' 'b'y 'S'k'y'N'e't'.'C'Z' 'C'o'r'p*' 'D'r'o'p'p'e'd'S'k'y'N'e't' 'S'k'y'N'e't'F'i'g'h't's'B'a'c'k

whereas the DLL contains this one:

Bagle, do not delete SkyNet. You fucked bitch! Wanna go into a prison?
We are the only AntiVirus, not Bagle, shut up and take your butterfly! - Message from SkyNet AVTeam Lets join an alli-A-n-C-e-,bagle!

However, these texts are not shown at any moment.