Skip to content

WORM_NETSKY.G

Overview

Malware type: Worm

Aliases: Email-Worm.Win32.NetSky.g (Kaspersky), W32/Netsky.g@MM (McAfee), W32.Netsky.G@mm (Symantec), Worm/Netsky.G (Avira), W32/Netsky-G (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows 95, 98, ME, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This NETSKY variant spreads via email as a .PIF or .ZIP attachment. It gathers target email addresses from files with the following extensions found in drives C to Z (but bypassing the CD-ROM drive):

  • adb
  • asp
  • cgi
  • dbx
  • dhtm
  • doc
  • eml
  • htm
  • html
  • msg
  • oft
  • php
  • pl
  • rtf
  • sht
  • shtm
  • tbb
  • txt
  • uin
  • vbs
  • wab

The email message it sends out has varying subjects, message bodies and attachment file names.

This worm also deletes several autorun registry entries associated with the following malware in an attempt to prevent their automatic execution at every system startup:

When the current date is March 10, 2004, and the current hour is between 6 to 8, it generates a beeping sound.

This TELock-compressed malware is written using Microsoft Visual C++, a high-level programming language, and runs on Windows 95, 98, ME, 2000, and XP.

For additional information about this threat, see:

Description created: Mar. 4, 2004 8:14:29 AM GMT -0800
Description updated: Mar. 4, 2004 8:14:49 AM GMT -0800


Technical Details

Size of malware: 27,648 bytes

Initial samples received on: Mar 4, 2004

Payload 1: Generates Sound

Trigger condition 1: System date = March 10, 2004 and Current Hour = 6 to 8

Details:

Arrival and Installation

This worm arrives as an email attachment with a .PIF or .ZIP extension.

Upon execution, it drops a copy of itself as AVGUARD.EXE in the Windows folder. Then, it creates the following registry entry to ensure its execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\Run
Special Firewall Service="%Windows%\avguard.exe -av service"

(Note: %Windows% refers to the Windows folder usually C:\Windows or C:\WINNT.)

It also creates the mutex Netsky AV Guard to ensure that only one copy of itself is running.

Email Propagation

To propagate, this worm sends itself via email to target email addresses it gathers from the system. The email that it sends out has the following details:

Subject: (Any of the following)
Re: Re: Document
Re: Re: Thanks!
Re: Thanks!
Re: Your document
Re: Here is the document
Re: Your picture
Re: Re: Message
Re: Hi
Re: Hello
Re: Re: Re: Your document
Re: Here
Re: Your music
Re: Your software
Re: Approved
Re: Details
Re: Excel file
Re: Word file
Re: My details
Re: Your details
Re: Your bill
Re: Your text
Re: Your archive
Re: Your letter
Re: Your product
Re: Your website

Message body: (Any of the following)

Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.

Attachment: (Any of the following)
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_text.pif
your_bill.pif
your_details.pif
document_word.pif
document_excel.pif
my_details.pif
all_document.pif
application.pif
mp3music.pif
yours.pif
document_4351.pif
your_file.pif
message_details.pif
your_picture.pif
document_full.pif
message_part2.pif
document.pif
your_document.pif

(Note: that the email attachment may also have a ZIP extension.)

It gathers target email addresses from files with the following extensions, which it looks for in drives C to Z (except the CD-ROM drive):

  • adb
  • asp
  • cgi
  • dbx
  • dhtm
  • doc
  • eml
  • htm
  • html
  • msg
  • oft
  • php
  • pl
  • rtf
  • sht
  • shtm
  • tbb
  • txt
  • uin
  • vbs
  • wab

It skips email addresses that have the following substrings:

  • abuse
  • andasoftwa
  • antivi
  • antivir
  • aspersky
  • avp
  • cafee
  • fbi
  • f-pro
  • freeav
  • f-secur
  • icrosoft
  • iruslis
  • itdefender
  • messagelabs
  • orman
  • orton
  • skynet
  • sophos
  • spam
  • ymantec

(Note: It has been observed that NETSKY worms, when harvesting email addresses, converts all uppercase letters to lowercase. For example, if it finds the email address, John.Doe@Somewhere.com, it first converts the address string to john.doe@somewhere.com.)

Mail Exchange (MX) Lookup

This NETSKY variant also connects to local DNS servers and then queries for the mail exchanger that matches the domain name of the target recipients email address. Once it finds the corresponding mail exchanger, it uses the said domain as SMTP server.

If none of the DNS servers contain a corresponding mail exchanger, this malware queries the following external DNS servers instead:

  • 212.44.160.8
  • 195.185.185.195
  • 151.189.13.35
  • 213.191.74.19
  • 193.189.244.205
  • 145.253.2.171
  • 193.141.40.42
  • 194.25.2.134
  • 194.25.2.133
  • 194.25.2.132
  • 194.25.2.131
  • 193.193.158.10
  • 212.7.128.165
  • 212.7.128.162
  • 193.193.144.12
  • 217.5.97.137
  • 195.20.224.234
  • 194.25.2.130
  • 194.25.2.129
  • 212.185.252.136
  • 212.185.253.70
  • 212.185.252.73
  • 62.155.255.16

Deletion of Registry Entries

In an attempt to prevent the automatic execution of several popular malware during startup, this worm deletes the following autorun registry entries:

  • For WORM_MYDOOM.A

    HKEY_LOCAL_MACHINE\Software\Microsoft
    Windows\CurrentVersion\Run
    Taskmon

  • For WORM_MYDOOM.B

    HKEY_LOCAL_MACHINE\Software\Microsoft
    Windows\CurrentVersion\Run
    Explorer

    HKEY_ CURRENT_USER \Software\Microsoft
    Windows\CurrentVersion\Run
    Explorer

  • For both WORM_MYDOOM.A and WORM_MYDOOM.B

    HKEY_CLASSES_ROOT\CLSID
    {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
    InProcServer32

  • For WORM_MIMAIL.T

    HKEY_LOCAL_MACHINE\Software\Microsoft
    Windows\CurrentVersion\Run
    KasperskyAv

    HKEY_CURRENT_USER\Software\Microsoft
    Windows\CurrentVersion\Run
    KasperskyAv

  • For WORM_NETSKY.A or WORM_NETSKY.B

    HKEY_LOCAL_MACHINE\Software\Microsoft
    Windows\CurrentVersion\Run
    service

  • For WORM_DEADHAT.B

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    CurrentVersion\Run
    msgsvr32

  • For WORM_NACHI.B and WORM_NACHI.C

    HKEY_LOCAL_MACHINE\System\CurrentControlSet
    Services\WksPatch

  • For PE_PARITE.A

    HKEY_CURRENT_USER\Software\Microsoft\Windows
    CurrentVersion\Explorer\PINF

  • For WORM_BAGLE.A

    HKEY_CURRENT_USER\Software\Microsoft\Windows
    CurrentVersion\Run
    d3dupdate.exe

  • For WORM_BAGLE.B

    HKEY_CURRENT_USER\Software\Microsoft\Windows
    CurrentVersion\Run
    au.exe

  • For WORM_BAGLE.C and WORM_BAGLE.D

    HKEY_CURRENT_USER\Software\Microsoft
    Windows\CurrentVersion\Run
    gouday.exe

  • For WORM_BAGLE.E, WORM_BAGLE.F, WORM_BAGLE.G, WORM_BAGLE.H, WORM_BAGLE.I

    HKEY_CURRENT_USER\Software\Microsoft\Windows
    CurrentVersion\Run
    rate.exe

  • For WORM_BAGLE.J and WORM_BAGLE.K

    HKEY_CURRENT_USER\Software\Microsoft\Windows
    CurrentVersion\Run
    ssate.exe

It also deletes the following registry entries, which are possibly utilized by other malware for their autostart routines:

HKEY_LOCAL_MACHINE\Software\Microsoft
Windows\CurrentVersion\Run
system

HKEY_LOCAL_MACHINE\Software\Microsoft
Windows\CurrentVersion\Runservices
system

HKEY_LOCAL_MACHINE\Software\Microsoft
Windows\CurrentVersion\Run
DELETE ME

HKEY_CURRENT_USER\Software\Microsoft
Windows\CurrentVersion\Run
OLE

HKEY_LOCAL_MACHINE\Software\Microsoft
Windows\CurrentVersion\Run
Sentry

HKEY_LOCAL_MACHINE\Software\Microsoft
Windows\CurrentVersion\Run
Windows Services Host

HKEY_CURRENT_USER\Software\Microsoft
Windows\CurrentVersion\Run
Windows Services Host

HKEY_CURRENT_USER\Software\Microsoft\Windows
CurrentVersion\Run
sysmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows
CurrentVersion\Run
sate.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows
CurrentVersion\Run
srate.exe

Payload

When the current date is March 10, 2004, and the current hour is between 6 to 8, this malware generates a beeping sound.

Other Details

The following text strings are found in the body of this TELock-compressed worm:

Netsky AntiVirus - Give up, bagle & mydoom, dude! You are fucking your mother! I want to meet you in the U,S.A, Road-App time enc:[fg.od.jgij], and the you will know what pain is




Analysis by: Crescencio Reyes

Revision History:

First pattern file version: 5.540.03
First pattern file release date: Sep 12, 2008

Solution

Minimum scan engine version needed: 5.600

Pattern file needed: 5.541.00

Pattern release date: Sep 14, 2008


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please refer to the Trend Micro Damage Cleanup Services.

MANUAL REMOVAL INSTRUCTIONS

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries:
    Special Firewall Service="%Windows%\avguard.exe -av service"
    Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.
  4. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Terminating the Malware Program

This procedure terminates the running malware process from memory.

  1. Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    CTRL+ALT+DELETE
    On Windows NT/2000/XP systems, press
    CTRL+SHIFT+ESC, and click the Processes tab.
  2. In the list of running programs*, locate the process:
    AVGUARD.EXE
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

Deleting a Malware File

On Windows 9x/NT

  1. Click Start>Find>Files and Folders.
  2. In the Named input box, type:
    AVGUARD.EXE
  3. In the Look In drop-down list, select the drive which contains Windows, then press Enter.
  4. Once located, delete the file.
On Windows 2000/ME/XP
  1. Click Start>Search>For Files and Folders.
  2. In the Search for files and folders named input box, type:
    AVGUARD.EXE
  3. In the Look In drop-down list, select the drive which contains Windows, then press Enter.
  4. Once located, delete the file.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_NETSKY.G. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micros free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.


Connect with us on