Netsky Alert

infectionvectors.com

July 2004 (original alert: March 2004)

Overview

Netsky is a mass mailer, utilizing its own SMTP engine, which propagates by sending itself to every email address harvested from an infected computer. It received its name from a line of code in the worm and the mutex it creates.

**Since the alleged author was taken into German custody, the variants of this worm have virtually ceased. However, machines are still infected in high numbers, especially with the .P variant. Organizations implementing email precautions for mass mail worms such as extension blocking (EXE, PIF, SCR, ZIP, CPL) and restricting access to TCP 25 have taken away the biggest infection vectors for this treat. Netsky also spreads via file shares, which should also be guarded by basic best practices (strong passwords, restricted access/ACLs, etc.).

Variants

Netsky was a pure mass mailer in that it did not attempt to open remote control channels through system backdoors until variant .K. It lifts email addresses from the infected machine and then sends a copy of the worm to each. Attachments are often sent with double extensions. It comes with an established list of 25 DNS servers that are used in cases where the infected box does not have an available option. It has undergone radical changes in subject line/attachment naming, however, remains very true to the original simple design. The worm also spreads via fileshares, copying itself as a number of different filenames to directories with “share” or “sharing” in their titles. Taking a cue from MyDoom, the worm avoids a number of domains by ignoring addresses with strings such as “icrosoft” or “fbi.” The worm spoofs the “From:” field by selecting an address from the targets list, making it more attractive to recipients. Later versions of the worm attempt to delete MyDoom and Beagle from infected machines by removing Registry keys associated with the respective worms.

An abbreviated history of the worm:

Netsky.A

Discovered in the wild on February 16, 2004. The mass mailer used a short list of addresses in the “From:” field, making it an easy worm to filter at mail relays. Further, the attachment always started with “prod_info_” followed by a number. The extension sometimes included a double extension, a facet of the worm that gave some trouble to filtering strategies. Netsky.A however, did not spread especially quickly or pervasively.

Netsky.B

Many of the problems with the original design of the worm were corrected in the second version. The subject lines became more generic (selected from a list of 9 choices such as “hi,” “hello,” and “stolen), as did message bodies. Combining selections from various pre-coded lists created the attachment name.

Netsky.C

The subject list is greatly expanded, as is the message body selection list.

Netsky.D

Detected March 1, 2004. This variant added the repetitive beeping of the internal speaker of an infected PC at 0600, 0700, and 0800 on any Tuesday in March 2004.

Netsky.E

Also found March 4, 2003, Netsky.E greatly expands the number of possible subjects, message bodies, and attachment names. The worm maintains the same general functionality, pure mass mailing with the attempts to remove Registry entries for MyDoom and Beagle. The PC beep will sound on any Tuesday in March 2004 at 0600, 0700, and 0800.

Netsky.K

The .K variant opens port 26 on the infected machine on March 16, 2004. Further, this version of the worm has a password in the message body, similar to Beagle, however the attachment does not arrive as a password protected .zip or MS Office document.

Netsky.P/.Q

Since March of 2004, this variant has remained a strong presence in the virus world. It exploits MS01-020 (a vulnerability allowing the worm to auto-execute itself. P contains the same mass mail and file share routine as its predecessors.

Netsky.S

Includes a backdoor function, which allows the author to connect via TCP 6789. The worm uses only PIF extensions for the mass mailer, but all other mail/file share routines are the same.

Netsky.AC

Uses CPL extension for mail attachments and carries message bodies that appear to be scanned by popular AV programs.

Discussion

Due to the variable look of the worm, with multiple sets of attachment/subject names, the worm has spread quite rapidly and extensively over the last week. When discussing the issue with users it is important to gently remind them of the risks involved with opening attachments, even from senders that they recognize.

Netsky.K takes the messages farther, to include the infected machine’s user as well. The worm opens a dialog box with the following text, “SkyNet has the full control of your system now” on March 13, 2004. Three days later (on March 16, 2004) the worm displays the following text, “Please remove the file avpguard.exe from your Windows-Directory and do not open attachments anymore. It can be a virus like bagle and mydoom or similar malicios code.
This is the Skynet-Antivirus!”

Detection

Overall, Netsky’s social engineering tactics are its biggest strengths. The emails often appear to be from AV vendors or an administrative account. The attachment is often presented as enticing content (Harry Potter information, virus cleaner, pornography, etc.) and is accompanied by message bodies that may seem legitimate.

It does use its own SMTP engine, making it dependant on DNS and firewall (to allow it out of the network on TCP 25) to propagate. The file sharing vector can be trouble for organizations that do not impose restrictions on access between workstations.