Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Netsky.Q | |
Threat Level Damage Distribution |
At a glance
 |
| Common name: | Netsky.Q |
| Technical name: | W32/Netsky.Q.worm |
| Threat level: | Medium |
| Alias: | Email-Worm.Win32.NetSky.r, |
| Type: | Worm |
| Effects: | It attempts to launch Denial of Service attacks against several web pages, deletes the entries belonging to several worms, including Mydoom.A, Mydoom.B, Mimail.T and several variants of Bagle and emits a sound through the internal speaker. |
| Affected platforms:
| Windows XP/2000/NT/ME/98/95 |
| First detected on: | March 29, 2004 |
| Detection updated on: | July 29, 2009 |
| Statistics | No |
Proactive protection: | Yes, using TruPrevent Technologies
|
Brief Description | |
Netsky.Q is a worm that deletes the entries that belong to several worms, including Mydoom.A, Mydoom.B, Mimail.T and several variants of Bagle. Netsky.Q attempts to launch DoS (Denial of Service) attacks against several web pages, between April 8 and 11, inclusive. Netsky.Q spreads via email in a message with variable characteristics. It is automatically activated when the email message is viewed through Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer, which allows email attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame. In addition, when the system date is March 30, 2004, between 5:00 a.m. and 10:59 a.m., Netsky.Q emits a sound that consists of random tones through the internal speaker. |
Visible Symptoms | |
Netsky.Q is easy to recognize, as it emits a sound that consists of random tones through the internal speaker when the system date is March 30, 2004, between 5:00 a.m. and 10:59 a.m. To hear this sound, click here. |
Tech details
Effects |
Netsky.Q carries out the following actions: - It attempts to launch DoS (Denial of Service) attacks against the following web pages, between April 8 and 11, inclusive:
www.cracks.st
www.cracks.am
www.emule-project.net
www.kazaa.com
www.edonkey2000.com - It deletes the entries that belong to several worms, including Mydoom.A, Mydoom.B, Mimail.T and several variants of Bagle.
- It emits a sound that consists of random tones through the internal speaker when the system date is March 30, 2004, between 5:00 a.m. and 10:59 a.m.
To hear the sound, click here.
|
Infection strategy
Netsky.Q creates the following files in the Windows directory:
- SYSMONXP.EXE. This file is a copy of the worm.
- FIREWALLLOGGER.TXT. This file provides the functionalities of the worm.
- ZIPO0.TXT, ZIPO1.TXT, ZIPO2.TXT and ZIPO3.TXT. These files in MIME format contain a copy of the worm compressed in ZIP format.
- ZIPPEDBASE64.TMP. This file compressed in ZIP format contains a copy of the worm.
- BASE64.TMP. This file in MIME format contains a copy of the worm.
Netsky.Q creates the following entry in the Windows Registry:
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
SysMonXP = %windir%\ SysMonXP.exe
where %windir% is the Windows directory.
By creating this entry, Netsky.Q ensures that it is run whenever Windows is started.
Netsky.Q deletes the following entries in the Windows Registry, if present:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Explorer - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Explorer - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
System - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
System - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
msgsvr32 - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
au.exe - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
winupd.exe - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
direct.exe - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
direct.exe - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Taskmon - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Taskmon - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
DELETE ME - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
d3dupdate.exe - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
gouday.exe - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
rate.exe - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
OLE - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
jijbl - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Video - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
service - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Sentry - HKEY_CURRENT_USER\ Windows Services Host
- HKEY_LOCAL_MACHINE\ Windows Services Host
- HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
sysmon.exe - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
srate.exe - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
ssate.exe - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
winupd.exe - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
Video - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer
PINF - HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Services\ WksPatch
- HKEY_CLASSES_ROOT\ CLSID\ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ InProcServer32
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Microsoft IE Execute shell - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Winsock2 driver - HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Winsock2 driver - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
ICM version - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
yeahdude - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
yeahdude - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
yeahdude - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Microsoft System Checkup - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Microsoft System Checkup - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
Microsoft System Checkup
These entries are created by several worms, including Mydoom.A, Mydoom.B, Mimail.T and several variants of Bagle.
Means of transmission
Netsky.Q spreads via email. It follows the routine below:
- It reaches the computer in an email message with variable characteristics:
Subject: It consists of one of the following phrases, and the email address of the recipient between brackets:
Deliver Mail
Delivered Message
Delivery
Delivery Bot
Delivery Error
Delivery Failed
Delivery Failure
Error
Failed
Failure
Mail Delivery failure
Mail Delivery System
Mail System
Server Error
Status
Unknown Exception
Message: it can be written in plain text or in HTML format, and it is a compound of phrases from the following lists:
List 1:
Delivery Agent - Translation failed
Delivery Failure - Invalid mail specification
Mail Delivery - This mail couldn't be displayed
Mail Delivery Error - This mail contains unicode characters
Mail Delivery Failed - This mail couldn't be represented
Mail Delivery Failure - This mail couldn't be shown.
Mail Delivery System - This mail contains binary characters
Mail Transaction Failed - This mail couldn't be converted
Hard-coded item:
------------- failed message -------------
List 2:
Message has been sent as a binary attachment.
Modified message has been sent as a binary attachment.
Note: Received message has been sent as a binary file.
Partial message is available and has been sent as a binary attachment.
Received message has been attached.
Received message has been sent as an encoded attachment.
The message has been sent as a binary attachment.
Translated message has been attached.
Final text:
Note: if the message is in HTML format, it will not have any attached files (apparently), and it will include the following text:
Or you can view the message at:
www.%domain of the recipient% /inmail/ %name of the recipient% /mread.php?sessionid-%random number%
This link is specially crafted in order to run the worm's code automatically, by exploiting a vulnerability known as Exploit/Iframe.
Attachments: the file name is variable, and it can have a ZIP or PIF extension:
Possible file names: DATA, MAIL, MESSAGE, MSG.
For example: DATA.PIF, MESSAGE.ZIP, MSG,PIF, etc.
If the attached file has a ZIP extension, it will contain one of the following files:
DATA.EML.SCR, MAIL.EML.SCR, MSG.EML.SCR or MESSAGE.EML.SCR. - The computer is affected when the attached file is run, or when the email message is viewed through Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer, which allows email attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame.
- Netsky.Q searches for email addresses in files with an ADB, ASP, CFG, CGI, DBX, DHTM, DOC, EML, HTM, HTML, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, PL, PPT, RTF, SHT, SHTM, STM, TBB, TXT, UIN, VBS, WAB, WSH, XLS and XML extension.
- Netsky.Q sends a copy of itself to the addresses it has gathered, using its own SMTP engine. However, it does not send itself to the addresses containing any of the following text strings:
@antivi, @avp, @bitdefender, @fbi, @f-pro, @freeav, @f-secur, @kaspersky, @mcafee, @messagel, @microsof, @norman, @norton, @pandasof, @skynet, @sophos, @spam, @symantec, @viruslis, abuse@, noreply@, ntivir, reports@, spam@.
Further Details
Netsky.Q is written in the programming language Visual C++ v6.0. The worm is 28,008 bytes in size and it is compressed with Petite.
The file FIREWALLLOGGER.TXT creates the mutex called _-oO]xX|-+S+-+k+-+y+-+N+-+e+-+t+-|Xx[Oo-_. It creates this mutex in order not to be run several times simultaneously.
The code of Netsky.Q contains the following text in its code, though it is not shown at any moment:
We are the only SkyNet, we don't have any criminal inspirations.
Due to many reports, we do not have any backdoors included for spam relaying.
and we aren't children. Due to this, many reports are wrong.
We don't use any virus creation toolkits, only the higher language
Microsoft Visual C++ 6.0. We want to prevent hacker,
cracking, sharing with illegal stuff and similar illegal content.
Hey, big firms only want to make a lot of money.
That is what we don't prefer. We want to solve and avoid it.
Note: Users do not need a new av-update, they need
a better education! We will envolope...
- Best regards, the SkyNet Antivirus Team, Russia 05:11 P.M -
