W32/Netsky-K is a mass-mailing worm that uses its own SMTP engine to email
itself to addresses harvested from files on local drives.
In order to run automatically when the user logs on to the computer the worm
copies itself to the file avpguard.exe in the Windows folder and creates the
following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\My AV
= "C:\\WINDOWS\\avpguard.exe -av serv"
The worm attempts to disable various anti-virus and security-related
applications as well as other worm processes by deleting registry entries used
by them.
In particular it attempts to delete the following values:
Taskmon, Explorer, system., msgsvr32, DELETE ME,
service, Sentry, Windows Services Host
below the registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The worm deletes the following values:
Explorer, d3dupdate.exe, au.exe, OLE, Windows Services Host,
gouday.exe, rate.exe, sate.exe, ssate.exe, srate.exe, sysmon.exe.
below the registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Netsky-K also deletes the following registry entries:
HKCR\CLSID\E6FB5E20-DE35-11CF-9C87-00AA005127ED\InProcServer32
HKLM\System\CurrentControlSet\Services\WksPatch
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
Some of the above entries are created by variants of the
W32/Bagle and W32/MyDoom families of worms.
32/Netsky-K harvests email addresses from files on all local drives which have
one of the following extensions:
XML, WSH, JSP, DHTM, CGI, SHTM, MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP,
UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT, EML
The worm avoids email addresses containing the following strings:
iruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
spam
ymantec
antivi
icrosoft
Emails have the following characteristics:
Subject lines chosen from:
Your product
Your letter
Re: corrected homework
Re: I've found your document
Re: Your bill
Re: hello again
Re: hi again
Re: part 3
Re: important document part 2
Re: important
Re: Your data
Re: Your application
Re: your music
Re: excel document
Re: Re: Re: word document
Re: Your details
Re: My details
Re: Your requested file
Re: Read it immediately
Re: Approved
Re: Your software
Re: my memberlist
Re: Your document
Re: Your file
Re: Your important document
www.%s.tripod.com
Hi Mr. %s
Moi %s
Yours faithfully, %s
Message to %s
Hi Mrs. %s
Is %s.doc yours?
Is %s.xls yours?
Whats up %s
www.paypal.com/%s
Best %s
Love %s
Good morning %s
Have a good day %s
Dear %s
To %s , it's me
Welcome %s
Moin %s
Hello %s
Your account %s is expired!
Hey %s
www.%s.freepage.com, your website
Hi %s, your product
Hello %s, your letter
Re: Hi %s, your archive
Re: %s, your text
Re: Hello %s, your bill
Re: Hi %s, your details
Re: Hello %s, my details
Re: Hi %s, your word file
Re: Hello %s, your excel file
Re: Hi %s, details
Re: Hello %s, Approved
Re: Hello %s, your software
Re: Hi %s, your music
Re: Dear %s, Here
Re: Re: Re: Hello %s, your document
Re: Hi %s
Re: Dear %s, Hi
Re: Re: Hi %s, your message
Re: Here %s, your picture
Re: Hi %s, here is the document
Re: Hello %s, your document
Re: %s, thanks!
Re: Re: %s, thanks!
Re: Re: Hi %s, document
Re: Hello %s, document
Message texts chosen from:
My details are in the attached file.
I have corrected your document.
Please do not forget to read the important document.
I have an interesting document about you.
The sample is attached.
Your personal document is attached.
Your file is attached to this mail.
Note that I have attached your file.
The important document is attached.
Please read the document. It's important.
Your document is attached to this mail.
See the attachment for further details.
Your file is attached. Use this password for the file: %i.
Please read the attached file. Password for the file is %i.
Please have a look at the attached file. Password for decrypting is %i.
See the attached file for details. Password is %i.
Here is the file. My password is %i.
Your document is attached. Your password is %i.
Attached filename chosen from:
website_%s.pif
your_product_%s.pif
letter_%s.pif
archive%s.pif
your_text%s.pif
bill_%s.pif
your_details%s.pif
%s_details.pif
%s_document_word.pif
%s_document_excel.pif
%s_my_details.pif
%s_all_document.pif
%s_application.pif
mp3music_%s.pif
yours%s.pif
document_%s4351.pif
%s_picture.pif
%s_file.pif
%s_message_details.pif
yourpicture%s.pif
%s_document_full.pif
%s_your_message_part2.pif
%sinformation.pif
%sdocument.pif
%s_your_document.pif
where %s is a string that contains a variable username and %i is a variable
number.
On the 10 of March 2004 W32/Netsky-K plays random sounds between 10:00 and
11:00.