By Robert Vamosi
Second Internet threat this week appears only to spread copies of itself.
(February 18, 2004)
"This worm is like a cluster bomb," says iDefense's Ken Dunham, since Netsky.b first spreads via e-mail, then attacks network shared files. Netsky.b (w32.netsky.b@mm) uses randomized e-mail messages and network shared files to spread copies of itself via ZIP file attachments. At this time, Netsky.b appears only to spread and does not open any backdoor Internet access to the infected computer. The worm affects only Windows users; Linux, Mac OS, and Unix users are not affected. Because Netsky.b spreads via e-mail and networked shared files and could congest e-mail servers with excess traffic, this worm rates a 6 on the CNET Virus Meter.
How it works
Netsky.b arrives as e-mail with one of the following as its subject line:
hi
hello
read it immediately
something for you
warning
information
stolen
fake
unknown
The body consists of a short, sentence chosen from a long list.
The attached file uses one of the names below:
document
msg
doc
talk
message
creditcard
details
attachment
me
stuff
posting
textfile
concert
information
note
bill
swimmingpool
product
topseller
ps
shower
aboutyou
nomoney
found
story
mails
website
friend
jokes
location
final
release
dinner
ranking
object
mail2
part2
disco
party
misc
The attached ZIP file will have two extensions. The first may be .txt, .rtf, .doc, or .htm; the second extension can be .exe, .scr, .com, or .pif.
When the worm is active, it displays a false error dialog box that says that a file could not be opened. Netsky.b copies itself to the Windows subdirectory under the name Services.exe.
The worm then updates the system Registry by adding:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "service" = "%windir%\services.exe -serv"
Then it attempts to delete the following Registry key values:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Taskmon" "Explorer" "system." "KasperskyAv"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Taskmon" "Explorer"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "system."
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
Netsky.b then searches the infected hard drive for usable e-mail addresses. The worm creates copies of itself as ZIP files, choosing one of the names below for the attached file:
document
msg
doc
talk
message
creditcard
details
attachment
me
stuff
posting
textfile
concert
information
note
bill
swimmingpool
product
topseller
ps
shower
aboutyou
nomoney
found
story
mails
website
friend
jokes
location
final
release
dinner
ranking
object
mail2
part2
disco
party
misc
The worm finds all folders on the infected drive that are shared or that have share in the name and adds copies of itself. These shared files may be network shared files, as in an office, or peer-to-peer file-sharing files.
Prevention
Update your antivirus software with the latest signature files.
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Sophos, Symantec, and Trend Micro.
For the latest information on Netsky.b, see News.com.
