Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Netsky.Q

 
Threat LevelHigh threat
DamageSevere
DistributionNot widespread

Effects

Netsky.Q carries out the following actions:

  • It attempts to launch DoS (Denial of Service) attacks against the following web pages, between April 8 and 11, inclusive:
    www.cracks.st
    www.cracks.am
    www.emule-project.net
    www.kazaa.com
    www.edonkey2000.com
  • It deletes the entries that belong to several worms, including Mydoom.A, Mydoom.B, Mimail.T and several variants of Bagle.
  • It emits a sound that consists of random tones through the internal speaker when the system date is March 30, 2004, between 5:00 a.m. and 10:59 a.m.
    To hear the sound, click here.

Infection strategy 

Netsky.Q creates the following files in the Windows directory:

  • SYSMONXP.EXE. This file is a copy of the worm.
  • FIREWALLLOGGER.TXT. This file provides the functionalities of the worm.
  • ZIPO0.TXT, ZIPO1.TXT, ZIPO2.TXT and ZIPO3.TXT. These files in MIME format contain a copy of the worm compressed in ZIP format.
  • ZIPPEDBASE64.TMP. This file compressed in ZIP format contains a copy of the worm.
  • BASE64.TMP. This file in MIME format contains a copy of the worm.

Netsky.Q creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    SysMonXP = %windir%\ SysMonXP.exe

    where %windir% is the Windows directory.
    By creating this entry, Netsky.Q ensures that it is run whenever Windows is started.

Netsky.Q deletes the following entries in the Windows Registry, if present:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Explorer
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Explorer
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    System
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
    System
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    msgsvr32
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    au.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    winupd.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    direct.exe
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    direct.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Taskmon
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Taskmon
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    DELETE ME
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    d3dupdate.exe
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    gouday.exe
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    rate.exe
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    OLE
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    jijbl
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Video
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    service
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Sentry
  • HKEY_CURRENT_USER\ Windows Services Host
  • HKEY_LOCAL_MACHINE\ Windows Services Host
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    sysmon.exe
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    srate.exe
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    ssate.exe
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    winupd.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
    Video
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer
    PINF
  • HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Services\ WksPatch
  • HKEY_CLASSES_ROOT\ CLSID\ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ InProcServer32
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Microsoft IE Execute shell
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Winsock2 driver
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Winsock2 driver
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    ICM version
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    yeahdude
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    yeahdude
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
    yeahdude
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Microsoft System Checkup
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Microsoft System Checkup
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
    Microsoft System Checkup

    These entries are created by several worms, including Mydoom.A, Mydoom.B, Mimail.T and several variants of Bagle.

Means of transmission 

Netsky.Q spreads via email. It follows the routine below:

  • It reaches the computer in an email message with variable characteristics:

    Subject: It consists of one of the following phrases, and the email address of the recipient between brackets:
    Deliver Mail
    Delivered Message
    Delivery
    Delivery Bot
    Delivery Error
    Delivery Failed
    Delivery Failure
    Error
    Failed
    Failure
    Mail Delivery failure
    Mail Delivery System
    Mail System
    Server Error
    Status
    Unknown Exception


    Message: it can be written in plain text or in HTML format, and it is a compound of phrases from the following lists:
    List 1:
    Delivery Agent - Translation failed
    Delivery Failure - Invalid mail specification
    Mail Delivery - This mail couldn't be displayed
    Mail Delivery Error - This mail contains unicode characters
    Mail Delivery Failed - This mail couldn't be represented
    Mail Delivery Failure - This mail couldn't be shown.
    Mail Delivery System - This mail contains binary characters
    Mail Transaction Failed - This mail couldn't be converted


    Hard-coded item:
    ------------- failed message -------------

    List 2:
    Message has been sent as a binary attachment.
    Modified message has been sent as a binary attachment.
    Note: Received message has been sent as a binary file.
    Partial message is available and has been sent as a binary attachment.
    Received message has been attached.
    Received message has been sent as an encoded attachment.
    The message has been sent as a binary attachment.
    Translated message has been attached.


    Final text:


    Note: if the message is in HTML format, it will not have any attached files (apparently), and it will include the following text:
    Or you can view the message at:
    www.%domain of the recipient% /inmail/ %name of the recipient% /mread.php?sessionid-%random number%
    This link is specially crafted in order to run the worm's code automatically, by exploiting a vulnerability known as Exploit/Iframe.

    Attachments: the file name is variable, and it can have a ZIP or PIF extension:
    Possible file names: DATA, MAIL, MESSAGE, MSG.
    For example: DATA.PIF, MESSAGE.ZIP, MSG,PIF, etc.
    If the attached file has a ZIP extension, it will contain one of the following files:
    DATA.EML.SCR, MAIL.EML.SCR, MSG.EML.SCR or MESSAGE.EML.SCR.
  • The computer is affected when the attached file is run, or when the email message is viewed through Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer, which allows email attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame.
  • Netsky.Q searches for email addresses in files with an ADB, ASP, CFG, CGI, DBX, DHTM, DOC, EML, HTM, HTML, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, PL, PPT, RTF, SHT, SHTM, STM, TBB, TXT, UIN, VBS, WAB, WSH, XLS and XML extension.
  • Netsky.Q sends a copy of itself to the addresses it has gathered, using its own SMTP engine. However, it does not send itself to the addresses containing any of the following text strings:
    @antivi, @avp, @bitdefender, @fbi, @f-pro, @freeav, @f-secur, @kaspersky, @mcafee, @messagel, @microsof, @norman, @norton, @pandasof, @skynet, @sophos, @spam, @symantec, @viruslis, abuse@, noreply@, ntivir, reports@, spam@.

Further Details  

Netsky.Q is written in the programming language Visual C++ v6.0. The worm is 28,008 bytes in size and it is compressed with Petite.

The file FIREWALLLOGGER.TXT creates the mutex called _-oO]xX|-+S+-+k+-+y+-+N+-+e+-+t+-|Xx[Oo-_. It creates this mutex in order not to be run several times simultaneously.

The code of Netsky.Q contains the following text in its code, though it is not shown at any moment:
We are the only SkyNet, we don't have any criminal inspirations.
Due to many reports, we do not have any backdoors included for spam relaying.
and we aren't children. Due to this, many reports are wrong.
We don't use any virus creation toolkits, only the higher language
Microsoft Visual C++ 6.0. We want to prevent hacker,
cracking, sharing with illegal stuff and similar illegal content.
Hey, big firms only want to make a lot of money.
That is what we don't prefer. We want to solve and avoid it.
Note: Users do not need a new av-update, they need
a better education! We will envolope...

- Best regards, the SkyNet Antivirus Team, Russia 05:11 P.M -