By Robert Vamosi
(February 25, 2004)
The third variation of the Netsky worm is an annoying prankster for those whose PCs are infected. Netsky.c (w32.netsky.c@mm) uses randomized e-mail messages and network shared files to spread copies of itself via ZIP or EXE file attachments. Netsky.c does not open any backdoor Internet access to the infected computer but will execute a beeping sound on infected computers if the date is February 26, 2004, between the local time of 6 a.m. and 9 a.m. It will also attempt to remove copies of the MyDoom.a, MyDoom.b, Netsky.a, and Netsky.b worms, if the machine has previously been infected with those worms. Netsky.c affects only Windows users; Linux, Mac OS, and Unix users are not affected. Because this worm spreads via e-mail and networked shared files and could congest e-mail servers with excess traffic, Netsky.c rates a 6 on our Virus Meter.
How it works
Netsky.c arrives with a spoofed e-mail return address and a random subject line.
The body text consists of a short sentence randomly chosen from a long list.
The attached file uses a random single word or a string of numbers with two extensions: the first could be .doc, .htm, .text, or .rtf; the second .exe, .pif. scr, or .com.
When the worm is active, it displays a false Error dialog box that says that a file could not be opened. Netsky.b copies itself to the Windows subdirectory under the name winLogon.exe and is 25,352 bytes in size.
The worm then updates the system Registry by adding:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "ICQ Net" = %WinDir%\WINLOGON.EXE -stealth
Then it attempts to delete the following Registry key values:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Taskmon" "Explorer" "system." "KasperskyAv"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Taskmon" "Explorer"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "system."
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
Netsky.c searches the infected hard drive for usable e-mail addresses. The worm creates ZIP file copies of itself, choosing one of the names below for the attached file.
The worm finds all folders on the infected drive that are shared or that have share in the name and adds copies of itself. These shared files may be network shared files, as in an office, or peer-to-peer file-sharing ones.
Prevention
Update your antivirus software with the latest signature files.
Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.
