W32/Netsky-F

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Netsky-F is a worm that spreads via email.

W32/Netsky-F scans all local drives for files with the extensions DHTM, CGI, SHTM, MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML and attempts to extract email addresses from them. The worm skips email addresses containing the following strings:

iruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
abuse
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
spam
ymantec
antivi
icrosoft

In order to spread the worm creates 16 threads that send emails containing the worm as an attachment to the harvested addresses. W32/Netsky-F uses its own SMTP engine to send the mail. The subject lines, message texts and attachment filenames are randomly chosen from the following possibilities:

Subject line:
Re: Your website
Re: Your product
Re: Your letter
Re: Your archive
Re: Your text
Re: Your bill
Re: Your details
Re: My details
Re: Word file
Re: Excel file
Re: Details
Re: Approved
Re: Your software
Re: Your music
Re: Here
Re: Re: Re: Your document
Re: Hello
Re: Hi
Re: Re: Message
Re: Your picture
Re: Here is the document
Re: Your document
Re: Thanks!
Re: Re: Thanks!
Re: Re: Document
Re: Document

Message text:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.

Attachment filename:
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_text.pif
your_bill.pif
your_details.pif
document_word.pif
document_excel.pif
my_details.pif
all_document.pif
application.pif
mp3music.pif
yours.pif
document_4351.pif
your_file.pif
message_details.pif
your_picture.pif
document_full.pif
message_part2.pif
document.pif
your_document.pif.

On the 2nd of March 2004 W32/Netsky-F plays random sounds from 6 to 8 o'clock using the internal speaker.

W32/Netsky-F contains the following text hidden inside its code, which does not get displayed:

Skynet AntiVirus - Bagle - you are a looser!!!! W32/Netsky-F is a worm that spreads via email.

In order to run automatically when Windows boots up the worm copies itself to the file svchost.exe in the Windows folder and sets the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client Ex
= C:\Windows\svchost.exe -antivirus service.

The worm attempts to disable various anti-virus and security-related applications by deleting registry entries used by them. In particular it attempts to delete the registry entries below

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ for Taskmon, Explorer, KasperskyAv, system., msgsvr32, DELETE ME, service, Sentry, Windows Service Host

and

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ for Taskmon, Exporer, KasperskyAv, d3dupdate.exe, au.exe, OLE, Windows Service Host, gouday.exe, rate.exe, sysmon.exe.

This has the side-effect of disabling any infection of the W32/Bagle-A, W32/Bagle-B (also known as W32/Tanx-A), W32/Bagle-C, W32/Bagle-D, W32/Bagle-E, W32/Bagle-F, W32/Bagle-G, W32/Bagle-H, and W32/Bagle-I worms if present.

The worm also deletes the following entries:

HKCR\CLSID\E6FB5E20-DE35-11CF-9C87-00AA005127ED\InProcServer32
HKCU\System\CurrentControlSet\Services\WksPatch
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF

W32/Netsky-F scans all local drives for files with the extensions DHTM, CGI, SHTM, MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML and attempts to extract email addresses from them. The worm skips email addresses containing the following strings:
iruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
abuse
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
spam
ymantec
antivi
icrosoft

In order to spread the worm creates 16 threads that send emails containing the worm as an attachment to the harvested addresses. W32/Netsky-F uses its own SMTP engine to send the mail. The subject lines, message texts and attachment filenames are randomly chosen from the following possibilities:

Subject line:
Re: Your website
Re: Your product
Re: Your letter
Re: Your archive
Re: Your text
Re: Your bill
Re: Your details
Re: My details
Re: Word file
Re: Excel file
Re: Details
Re: Approved
Re: Your software
Re: Your music
Re: Here
Re: Re: Re: Your document
Re: Hello
Re: Hi
Re: Re: Message
Re: Your picture
Re: Here is the document
Re: Your document
Re: Thanks!
Re: Re: Thanks!
Re: Re: Document
Re: Document

Message text:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.

Attachment filename:
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_text.pif
your_bill.pif
your_details.pif
document_word.pif
document_excel.pif
my_details.pif
all_document.pif
application.pif
mp3music.pif
yours.pif
document_4351.pif
your_file.pif
message_details.pif
your_picture.pif
document_full.pif
message_part2.pif
document.pif
your_document.pif.

On the 2nd of March 2004 W32/Netsky-F plays random sounds from 6 to 8 o'clock using the internal speaker.

W32/Netsky-F contains the following text hidden inside its code, which does not get displayed:

Skynet AntiVirus - Bagle - you are a looser!!!!

download Try Sophos products for free
Download now