Win32/NetSky.Q - Worm Internet

Win32/NetSky.Q is an internet worm spreading via e-mail messages, P2P networks or shared network drives. Use ESET NOD32 Antivirus to protect your computer

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%

The worm is in an executable that is nearly 29 kiobytes long. Upon execution it copies itself into the %windir% directory using the name "FVProtect.exe".
It also creates a file called "userconfig9x.dll", that is 26 kB long. This dynamic library file is then executed.

In order to be run every time the Windows starts, the worm creates Registry entry called "Norton Antivirus AV" in the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The new entry contains the path to "FVProtect.exe".

The following Registry entries are removed by the worm:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\direct.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gouday.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLE
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\System.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Video
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\direct.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jijbl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sentry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\video
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupd.exe

This way, some older worms can be deactivated, if present on the system.

The following files are created in the %windir% directory: base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, zipped.tmp.
These are used when the e-mail messages are composed.

The worm searches all local disks for directories, that contain some of the following strings in their names:

bear
donkey
download
ftp
htdocs
http
icq
kazaa
lime
morpheus
mule
my shared folder
shar
shared files
upload

The worm is then copied into such directories using the following names:

1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
ACDSee 10.exe
Adobe Photoshop 10 crack.exe
Adobe Photoshop 10 full.exe
Adobe Premiere 10.exe
Ahead Nero 8.exe
Altkins Diet.doc.exe
American Idol.doc.exe
Arnold Schwarzenegger.jpg.exe
Best Matrix Screensaver new.scr
Britney sex xxx.jpg.exe
Britney Spears and Eminem porn.jpg.exe
Britney Spears blowjob.jpg.exe
Britney Spears cumshot.jpg.exe
Britney Spears fuck.jpg.exe
Britney Spears full album.mp3.exe
Britney Spears porn.jpg.exe
Britney Spears Sexy archive.doc.exe
Britney Spears Song text archive.doc.exe
Britney Spears.jpg.exe
Britney Spears.mp3.exe
Clone DVD 6.exe
Cloning.doc.exe
Cracks & Warez Archiv.exe
Dark Angels new.pif
Dictionary English 2004 - France.doc.exe
DivX 8.0 final.exe
Doom 3 release 2.exe
E-Book Archive2.rtf.exe
Eminem blowjob.jpg.exe
Eminem full album.mp3.exe
Eminem Poster.jpg.exe
Eminem sex xxx.jpg.exe
Eminem Sexy archive.doc.exe
Eminem Song text archive.doc.exe
Eminem Spears porn.jpg.exe
Eminem.mp3.exe
Full album all.mp3.pif
Gimp 1.8 Full with Key.exe
Harry Potter 1-6 book.txt.exe
Harry Potter 5.mpg.exe
Harry Potter all e.book.doc.exe
Harry Potter e book.doc.exe
Harry Potter game.exe
Harry Potter.doc.exe
How to hack new.doc.exe
Internet Explorer 9 setup.exe
Kazaa Lite 4.0 new.exe
Kazaa new.exe
Keygen 4 all new.exe
Learn Programming 2004.doc.exe
Lightwave 9 Update.exe
Magix Video Deluxe 5 beta.exe
Matrix.mpg.exe
Microsoft Office 2003 Crack best.exe
Microsoft WinXP Crack full.exe
MS Service Pack 6.exe
netsky source code.scr
Norton Antivirus 2005 beta.exe
Opera 11.exe
Partitionsmagic 10 beta.exe
Porno Screensaver britney.scr
RFC compilation.doc.exe
Ringtones.doc.exe
Ringtones.mp3.exe
Saddam Hussein.jpg.exe
Screensaver2.scr
Serials edition.txt.exe
Smashing the stack full.rtf.exe
Star Office 9.exe
Teen Porn 15.jpg.pif
The Sims 4 beta.exe
Ulead Keygen 2004.exe
Visual Studio Net Crack all.exe
Win Longhorn re.exe
WinAmp 13 full.exe
Windows 2000 Sourcecode.doc.exe
Windows 2003 crack.exe
Windows XP crack.exe
WinXP eBook newest.doc.exe
XXX hardcore pics.jpg.exe

This enables the worm to spread via P2P networks and other shared resources.

Files with extensions listed below are also searched for:

.adb
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.msg
.oft
.php
.pl
.rtf
.sht
.shtm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xml

Win32/NetSky.Q extracts e-mail addersses from the files. Addresses containing some fo the following strings are avoided.

@antivi
@avp
@bitdefender
@f-pro
@f-secur
@fbi
@freeav
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@skynet
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam@

The messages used for spreading the worm are composed using a long list of strings. The address of the sender is either randomly picked from the harvested addresses, or it may be one of the addresses contained in the worm:

abuse@gov.us
noreply@paypal.com
support@symantec.com

Subject of the message is chosen from the list below:

-do0-i4grjj40j09gjijgp
0i09u5rug08r89589gjrg
Administrator
approved
Congratulations!
corrected
Do you?
Does it matter?
Error
Fwd: Warning again
Hello
hello
here
Hi
hi
I cannot forget you!
I love you!
Illegal Website
important
Important m$6h?3p
improved
Information
Internet Provider Abuse
Is that your password?
Mail Account
Mail Authentication
Mail Delivery (failure %s)
Mail Delivery (failure)
News
Notice again
patched
Postcard
Private document
Protected Mail System
Re:
Re: A!p$ghsa
Re: Administration
Re: Approved document
Re: Bad Request
Re: Delivery Protection
Re: Delivery Server
Re: Developement
Re: Encrypted Mail
Re: Error
Re: Error in document
Re: Extended Mail
Re: Extended Mail System
Re: Failure
Re: Free porn
Re: Hello
Re: Hi
Re: Is that your document?
Re: Its me
Re: Mail Authentification
Re: Mail Server
Re: Message
Re: Message Error
Re: Notify
Re: Old photos
Re: Old times
Re: Order
Re: Proof of concept
Re: Protected Mail Delivery
Re: Protected Mail Request
Re: Protected Mail System
Re: Question
Re: Re:
Re: Request
Re: Sample
Re: Secure delivery
Re: Secure SMTP Message
Re: Sex pictures
Re: SMTP Server
Re: Status
Re: Submit a Virus Sample
Re: Test
Re: Thank you for delivery
Re: Virus Sample
Re: Your document
read it immediately
Shocking document
Spam
Spamed?
Stolen document
Thank you!
thanks!
You cannot do that!
Your day

Body of the e-mail contains one of the following messages, but it can also be blank.

9u049u89gh89fsdpokofkdpbm3-4i
Are you a spammer? (I found your email on a spammer website!?!)
Authentication required.
Bad Gateway: The message has been attached.
Best wishes, your friend.
Binary message is available.
Can you confirm it?
Congratulations!, your best friend.
Delivered message is attached.
Do not visit this illegal websites!
Encrypted message is available.
ESMTP [Secure Mail System #334]: Secure message is attached.
First part of the secure mail is available.
Follow the instructions to read the message.
For further details see the attachment.
For more details see the attachment.
Forwarded message is available.
Greetings from france, your friend.
Have a look at these.
Here is it!
Here is my icq list.
Here is my phone number.
Here is the website. ;-)
I am shocked about your document!
I cannot believe that.
I found this document about you.
I have attached it to this mail.
I have attached the sample.
I have attached your document.
I have attached your file. Your password is jkl44563.
I have corrected your document.
I have received your document. The corr
I have received your document. The corrected document is attached
I have visited this website and I found you in the spammer list. Is that true?
I hope the patch works.
I hope you accept the result!
I noticed that you have visited illegal websites. See the name in the list!
Important message, do not show this anyone!
Let§us be short: you have no experience in writing letters!!!
lovely, :-)
Message has been sent as a binary attachment.
Monthly news report.
My favourite page.
New message is available.
Now a new message is available.
Partial message is available.
Please answer quickly!
Please authenticate the secure message.
Please confirm my request.
Please confirm the document.
Please confirm!
Please r564g!he4a56a3haafdogu#mfn3o


Please read the attached file!
Please read the attached file.
Please read the attachment to get the message.
Please read the document.
Please read the important document.
Please see the attached file for details.
po44u90ugjid-k9z5894z0
Protected Mail System Test.
Protected message is attached.
Protected message is available.
Requested file.
Secure Mail System Beta Test.
See the file.
See the ghg5%&6gfz65!4Hf55d!46gfgf


SMTP: Please confirm the attached message.
Thank you for your request, your details are attached!
Thanks!
The file is protected with the password ghj001.
The sample file you sent contains a new virus version of buppa.k.
Please update your virus scanner with the attached dat file.
Best Regards,
Keria Reynolds

The sample file you sent contains a new virus version of mydoom.j.
Please clean your system with the attached signature.
Sincerly,
Robert Ferrew

The sample is attached!
Try this game ;-)
Try this, or nothing!
Waiting for a Response. Please read the attachment.
Waiting for authentification.
You got a new message.
You have downloaded these illegal cracks?.
You have received an extended message. Please read the instructions.
You have visited illegal websites. I have a big list of the websites you surfed.
You have written a very good text, excellent, good work!
You were registered to the pay system. For more details see the attachment.
Your archive is attached.
your big love, ;-)
Your bill is attached to this mail.
Your details.
Your document is attached to this mail.
Your document is attached.
Your document.
Your file is attached.
Your important document, correction is finished!
Your mail account has been closed. For further details see the document.
Your mail account is expired. See the details to reactivate it.
Your photo, uahhh.... , you are naked!
Your requested mail has been attached.

At the bottom of the message, there can be this text: "+++ Attachment: No Virus found" It is always followed by one of the following lines:

+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ MC-Afee AntiVirus - www.mcafee.com
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Panda AntiVirus - www.pandasoftware.com
++++ F-Secure AntiVirus - www.f-secure.com
++++ Norman AntiVirus - www.norman.com
++++ Norton AntiVirus - www.symantec.de

Name of the attachment is chosen from the list below. Sometimes it can be also formed by joining two strings from the list.

about_you
abuselist
abuses
abuse_list
all_doc01
all_in_all
application
approved
approved
archive
attach
bill
confirm
corrected
d4334938
data
data02
data20
datfiles
detail3
details
details03
details05
doc01
document
document01
document04
document05
document07
document09
document342
document43
document_all
document_all02c
document_with_notice
doc_word3
email
encrypted_msg01
excel document
file
game
game_xxo
id04009
id09509
id43342
important
important
improved
info02
information
judge
letter
letter32
letter43
list
list_ed
mails9
message
msg
my
my_details
my_list01
my_numbers
news01
old_photos
part6
part_01
patch3425
pgp_sess01
photo
postcard
priv
private_01
product
pwd02
readme
report01
sample01
screensaver
signature
software
story
summary2004
text
text01
website
websitelist01
websites01
websites03
word document
word_doc
www.freeporn4all
www.myx4free
your
your_doc
your_document

The attachment can either be an executable or a ZIP archive. If it's an EXE file, it has two extensions. The first one is either ".doc" or ".txt",
and the other is ".exe", ".scr" or ".pif".

If the attachment is a ZIP archive, its extension is ".zip". The archive contains the Win32/Netsky.Q executable. The file inside the archive can have three different names:

document.txt .exe
data.rtf .scr
details.txt .pif

The parts of the e-mail messages are not chosen completely at random. The worm contains some sort of information about the relationship between certain subjects, message bodies and attachment names. Therefore the generated messages usually make sense.

The worm contains a message for the author of the Win32/Bagle worm.