W32/Netsky-C

Category: Viruses and Spyware Protection available since:25 Feb 2004 00:00:00 (GMT)
Type: Win32 worm Last Updated:08 Feb 2013 23:44:50 (GMT)
Prevalence: Several Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Netsky-C is a worm which spreads via shared networks and by emailing itself to addresses found within files located on drives C: to Z:.

The email subject line, message text and attachment filename are randomly chosen from lists within the worm.

The name of the attached file is chosen from:

associal, msg, yours, doc, wife, talk, message, response,
creditcard, description, details, attachment, pic, me, trash,
card, stuff, poster, posting, portmoney, textfile, moonlight,
concert, sexy, information, news, note, number_phone, bill,
mydate, swimmingpool, class_photos, product, old_photos, topseller,
ps, important, shower, myaunt, aboutyou, yours, nomoney, birth,
found, death, story, worker, mails, letter, more, website,
regards, regid, friend, unfolds, jokes, doc_ang, your_stuff,
location, 454543403, final, schock, release, webcam, dinner,
intimate stuff, sexual, ranking, object, secrets, mail2, attach2,
part2, msg2, disco, freaky, visa, party, material, misc,
nothing, transfer, auction, warez, undefinied, violence, update,
masturbation, injection, naked1, naked2, tear, music, paypal,
id, privacy, word_doc, image or incest.

The attachment extension will be ZIP, COM, EXE, PIF or SCR and may be preceded by .DOC, .HTM, .RTF or .TEXT. (e.g. visa.htm.scr)

W32/Netsky-C spreads via file sharing networks by copying itself to folders on drives C: to Z: whose name contains the sub-string 'Shar', using a filename randomly chosen from the following list:

1000 Sex and more.rtf.exe
3D Studio Max 3dsmax.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Adobe Premiere 9.exe
Ahead Nero 7.exe
Best Matrix Screensaver.scr
Clone DVD 5.exe
Cracks & Warez Archive.exe
Dark Angels.pif
Dictionary English - France.doc.exe
DivX 7.0 final.exe
Doom 3 Beta.exe
E-Book Archive.rtf.exe
Full album.mp3.pif
Gimp 1.5 Full with Key.exe
How to hack.doc.exe
IE58.1 full setup.exe
Keygen 4 all appz.exe
Learn Programming.doc.exe
Lightwave SE Update.exe
Magix Video Deluxe 4.exe
Microsoft Office 2003 Crack.exe
Microsoft WinXP Crack.exe
MS Service Pack 5.exe
Norton Antivirus 2004.exe
Opera.exe
Partitionsmagic 9.0.exe
Porno Screensaver.scr
RFC Basics Full Edition.doc.exe
Screensaver.scr
Serials.txt.exe
Smashing the stack.rtf.exe
Star Office 8.exe
Teen Porn 16.jpg.pif
The Sims 3 crack.exe
Ulead Keygen.exe
Virii Sourcecode.scr
Visual Studio Net Crack.exe
Win Longhorn Beta.exe
WinAmp 12 full.exe
Windows Sourcecode.doc.exe
WinXP eBook.doc.exe
XXX hardcore pic.jpg.exe

When the worm is run on the 26th of February 2004 between 06:00 and 09:00 it may cause the computer to beep sporadically.

The Netsky-C worm contains the following text embedded in its code:

<-<- we are the skynet - you can't hide yourself! - we kill malware writers (they have no chance!) - [LaMeRz-->]MyDoom.F is a thief of our idea! - -< SkyNet AV vs. Malware >- ->-> W32/Netsky-C is a worm which spreads via shared networks and by emailing itself to addresses found within files located on drives C: to Z:.

The email subject line, message text and attachment filename are randomly chosen from lists within the worm.

The name of the attached file is chosen from:

associal, msg, yours, doc, wife, talk, message, response,
creditcard, description, details, attachment, pic, me, trash,
card, stuff, poster, posting, portmoney, textfile, moonlight,
concert, sexy, information, news, note, number_phone, bill,
mydate, swimmingpool, class_photos, product, old_photos, topseller,
ps, important, shower, myaunt, aboutyou, yours, nomoney, birth,
found, death, story, worker, mails, letter, more, website,
regards, regid, friend, unfolds, jokes, doc_ang, your_stuff,
location, 454543403, final, schock, release, webcam, dinner,
intimate stuff, sexual, ranking, object, secrets, mail2, attach2,
part2, msg2, disco, freaky, visa, party, material, misc,
nothing, transfer, auction, warez, undefinied, violence, update,
masturbation, injection, naked1, naked2, tear, music, paypal,
id, privacy, word_doc, image or incest.

The attachment extension will be ZIP, COM, EXE, PIF or SCR and may be preceded by .DOC, .HTM, .RTF or .TEXT. (e.g. visa.htm.scr)

When first run W32/Netsky-C copies itself to the Windows folder as winlogon.exe and creates the following registry entry so that winlogon.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQNet
= <WINDOWS>\winlogon.exe -stealth

W32/Netsky-C spreads via file sharing networks by copying itself to folders on drives C: to Z: whose name contains the sub-string 'Shar', using a filename randomly chosen from the following list:

1000 Sex and more.rtf.exe
3D Studio Max 3dsmax.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Adobe Premiere 9.exe
Ahead Nero 7.exe
Best Matrix Screensaver.scr
Clone DVD 5.exe
Cracks & Warez Archive.exe
Dark Angels.pif
Dictionary English - France.doc.exe
DivX 7.0 final.exe
Doom 3 Beta.exe
E-Book Archive.rtf.exe
Full album.mp3.pif
Gimp 1.5 Full with Key.exe
How to hack.doc.exe
IE58.1 full setup.exe
Keygen 4 all appz.exe
Learn Programming.doc.exe
Lightwave SE Update.exe
Magix Video Deluxe 4.exe
Microsoft Office 2003 Crack.exe
Microsoft WinXP Crack.exe
MS Service Pack 5.exe
Norton Antivirus 2004.exe
Opera.exe
Partitionsmagic 9.0.exe
Porno Screensaver.scr
RFC Basics Full Edition.doc.exe
Screensaver.scr
Serials.txt.exe
Smashing the stack.rtf.exe
Star Office 8.exe
Teen Porn 16.jpg.pif
The Sims 3 crack.exe
Ulead Keygen.exe
Virii Sourcecode.scr
Visual Studio Net Crack.exe
Win Longhorn Beta.exe
WinAmp 12 full.exe
Windows Sourcecode.doc.exe
WinXP eBook.doc.exe
XXX hardcore pic.jpg.exe

W32/Netsky-C attempts to delete the following registry entries if they exist:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\system.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\service
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Sentry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msgsrv32
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\D3dupdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\au.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows services host
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows services host
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKLM\System\CurrentControlSet\Services\WksPatch
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

When the worm is run on the 26th of February 2004 between 06:00 and 09:00 it may cause the computer to beep sporadically.

The Netsky-C worm contains the following text embedded in its code:

<-<- we are the skynet - you can't hide yourself! - we kill malware writers (they have no chance!) - [LaMeRz-->]MyDoom.F is a thief of our idea! - -< SkyNet AV vs. Malware >- ->->

download Try Sophos products for free
Download now