NetSky.B

NetSky.B

Multiplying Fast, but not Deadly

18 February 2004

About the Virus

With yesterday's Bagle.B already the world's third most virulent worm, NetSky is right on its heels trying to catch up. Technically known as W32/Netsky.b@MM, this latest Netsky variant relies on random subjects, messages, and attachment names to help it spread. Its occasional use of the .ZIP extension, combined with its ability to spread through Windows shares, help explain why this worm has multiplied so effectively. According to anti-virus vendors, this fast-moving worm doesn't contain any malicious payload -- making it an annoying bandwidth-hog at most.

Distinguishing Characteristics

Netsky.B randomly generates all properties of its malicious e-mail. Details below:

From: [Netsky.B spoofs the From address. It may appear to come from a friend or contact. If you receive a Netsky.B e-mail, don't blame the person it says it's from, because it wasn't really them.]

Subject: [One of the following]

• hi
• hello
• read it immediately
• something for you
• warning
• information
• stolen
• fake
• unknown

Body: [One of the following]

• anything ok?
• what does it mean?
• ok
• i'm waiting
• read the details.
• here is the document.
• read it immediately!
• my hero
• here
• is that true?
• is that your name?
• is that your account?
• i wait for a reply!
• is that from you?
• you are a bad writer
• I have your password!
• something about you!
• kill the writer of this document!
• i hope it is not true!
• your name is wrong
• i found this document about you
• yes, really?
• that is bad
• here it is
• see you
• greetings
• stuff about you?
• something is going wrong!
• information about you
• about me
• from the chatter
• here, the serials
• here, the introduction
• here, the cheats
• that's funny
• do you?
• reply
• take it easy
• why?
• thats wrong
• misc
• you earn money
• you feel the same
• you try to steal
• you are bad
• something is going wrong
• something is fool

Attachment: [One of the following with the extension .exe, .com, .pif, .scr, or .zip. NOTE: the worm may use a double extension such as .pif.zip]

• document
• msg
• doc
• talk
• message
• creditcard
• details
• attachment
• me
• stuff
• posting
• textfile
• concert
• information
• note
• bill
• swimmingpool
• product
• topseller
• ps
• shower
• aboutyou
• nomoney
• found
• story
• mails
• website
• friend
• jokes
• location
• final
• release
• dinner
• ranking
• object
• mail2
• part2
• disco
• party
• misc

If you run the executable file attached to a Netsky.B e-mail, Netsky.B adds itself to your default Windows directory and adjusts the registry so that it can restart when you computer does. The worm may also display a window claiming, "the file could not be opened!" One of the files it drops is called AdmSkynetJKIS003, likely a reference to the "Skynet" artificial intelligence system that lets machines conquer the world in the popular Terminator movies.

Next, Netsky.b gathers e-mail addresses from various files on your PC and sends itself  to those addresses, using its own SMTP engine. It also searches for file shares and copies itself to those shares. Since some file shares are associated with P2P applications like Kazaa, Netsky.B also spreads via P2P.

Unlike the most recent worms, Netsky.B doesn't seem to contain any malicious payload. It does, however, attempt to remove the registry entries associated with the MyDoom viruses. Although we never consider any worm as helpful or safe, Netsky.B qualifies more as a quick-spreading irritant than a serious security risk.

What you can do

• As always, remind your users never to open unexpected attachments from any source. Inform them that most modern viruses falsify the "From" field and appear to come from friends, co-workers and third parties.

• Most major anti-virus vendors already have signatures that detect Netsky.B. Check with your vendor for the latest update.