W32.Netsky.Q@mm

Printer Friendly Page

Discovered: March 29, 2004
Updated: March 29, 2004 9:59:55 AM
Systems Affected: Windows

W32.Netsky.Q@mm is a mass-mailing worm that sends itself to email addresses it gathers from certain files on the system. It also performs denial of service attacks on certain dates.

This variant's email messages also appear to exploit the Microsoft IE MIME Header Attachment Execution Vulnerability (BID 2524).

Discovered: March 29, 2004
Updated: March 29, 2004 9:59:55 AM
Systems Affected: Windows

W32.Netsky.Q@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from files with the following extensions on drives C through Z:
.a
.ad
.adb
.as
.asp
.c
.cf
.cfg
.cg
.cgi
.d
.db
.dbx
.dh
.dht
.dhtm
.do
.doc
.e
.em
.eml
.h
.ht
.htm
.html
.j
.js
.jsp
.m
.mb
.mbx
.md
.mdx
.mh
.mht
.mm
.mmf
.ms
.msg
.n
.nc
.nch
.o
.od
.ods
.of
.oft
.p
.ph
.php
.pl
.pp
.ppt
.r
.rt
.rtf
.s
.sh
.sht
.shtm
.st
.stm
.t
.tb
.tbb
.tx
.txt
.u
.ui
.uin
.v
.vb
.vbs
.w
.wa
.wab
.ws
.wsh
.x
.xl
.xls
.xm
.xml

The email message typically has the following properties:
The from address is spoofed from an address taken from the system.

The subject is constructed in the format [Random Subject][Recipient Email Address] where the Random Subject is one of the following:
Deliver Mail
Delivered Message
Delivery
Delivery Bot
Delivery Error
Delivery Failed
Delivery Failure
Error
Failed
Failure
Mail Delivery failure
Mail Delivery System
Mail System
Server Error
Status
Unknown Exception

Message body can be one of the following:
Delivery Agent - Translation failed
Delivery Failure - Invalid mail specification
Mail Delivery - This mail couldn't be displayed
Mail Delivery Error - This mail contains unicode characters
Mail Delivery Failed - This mail couldn't be represented
Mail Delivery Failure - This mail couldn't be shown.
Mail Delivery System - This mail contains binary characters
Mail Transaction Failed - This mail couldn't be converted

The following is then appended to the message body:
------------- failed message -------------

This will be followed by random characters and one of the following:
Note: Received message has been sent as a binary file.
Modified message has been sent as a binary attachment.
Received message has been sent as an encoded attachment.
Translated message has been attached.
Message has been sent as a binary attachment.
Received message has been attached.
Partial message is available and has been sent as a binary attachment.
The message has been sent as a binary attachment.

There is also a chance that the following text may be appended to the message:
Or you can view the message at:
www.[Recipient_Domain]/inmail/[Recipient_Name]/mread.php?
sessionid-[Random_Number]

Attachment name is constructed in the format [Random Filename][Random Number][Random Extension] where the filename can be one of the following:
data
mail
msg
message

The extension will be either .zip or .pif. If the file is a zip archive, it will contain one of the following files:
data.eml[100 space characters].scr
mail.eml[100 space characters].scr
msg.eml[100 space characters].scr
message.eml[100 space characters].scr

The worm avoids sending to email addresses that contain any of the following strings:

@antivi
@avp
@bitdefender
@fbi
@f-pro
@freeav
@f-secur
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@skynet
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam@

The worm attempts to exploit the issue described as Microsoft IE MIME Header Attachment Execution Vulnerability (BID 2524), to execute the attachment as soon as the email is viewed.

It then creates the following copies of itself:
%Windir%\FIREWALLLOGGER.TXT
%Windir%\SYSMONXP.EXE

It creates the mutex "_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_" so that only a single copy of the worm may be memory resident.

The following MIME encoded copies of the worm are also created:
%Windir%\base64.tmp
%Windir%\zippedbase64.tmp
%Windir%\zipo3.txt
%Windir%\zipo2.txt
%Windir%\zipo1.txt
%Windir%\zipo0.txt

It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SysMonXP = %Windir%\SysMonXP.exe

It then attempts to remove other worms by deleting the following values:
Explorer
system.
msgsvr32
au.exe
winupd.exe
direct.exe
jijbl
Video
service
DELETE ME
d3dupdate.exe
OLE
Sentry
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe
Microsoft IE Execute shell
Winsock2 driver
ICM version
yeahdude.exe
Microsoft System Checkup

from the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

It also deletes the following keys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch
HKEY_CLASSES_ROOT\CLSID\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

The worm also creates a separate thread to monitor the system time. If the time is 0511 on March 30, 2004, it causes the system speaker to start beeping.

On April 8, 9, 10, and 11, the worm will attempt to perform a denial of service attack against the following websites:
www.edonkey2000.com
www.kazaa.com
www.emule-project.net
www.cracks.am
www.cracks.st