Name: I-Worm.Netsky.b
Aliases: W32/Netsky.b@MM, W32/Netsky-B, W32.Netsky.B@mm, Win32.Netsky.B, Worm/Netsky.B, WORM_NETSKY.B, Moodown.B, I-worm.Moodown.B
Type: Worm
Size: 22,016 bytes (packed)
First appeared on: 18.02.2004
Damage: Low
Brief Description: Netsky.B is a worm that deletes the entries that belong to several worms, including Mydoom.A, Mydoom.B and Mimail.T.
Netsky.B spreads via e-mail and through peer-to-peer (P2P) file sharing programs.
Visible Symptoms:
Technical description: Netsky.B creates the file SERVICES.EXE in the Windows directory. This file is a copy of the worm.
Netsky.B creates the following entries in the Windows Registry:
If it does not succeed in creating the first entry, it attempts to create the second one.
By creating any of these entries, Netsky.B ensures that it is run whenever Windows is started.
Netsky.B deletes the following entries in the Windows Registry, if present:
These entries belong to several worms, including Mydoom.A, Mydoom.B and Mimail.T.
Propagation:
Netsky.B spreads via e-mail, through peer-to-peer (P2P) file sharing programs and across networks.
Netsky.B follows the routine below:
It reaches the computer in an e-mail message with variable characteristics:
Sender: one of the following:
Subject: one of the following:
Message: any of the following lines:
Attachments: it is variable, and usually has a double extension:
Possible file names: ABOUTYOU, ATTACHMENT, BILL, CONCERT, CREDITCARD, DETAILS, DINNER, DISCO, DOC, DOCUMENT, FAKE, FINAL, FOUND, FRIEND, HELLO, HI, INFORMATION, JOKES, LOCATION, MAIL2, MAILS, ME, MESSAGE, MISC, MSG, NOMONEY, NOTE, OBJECT, PART2, PARTY, POSTING, PRODUCT, PS, RANKING, READ IT IMMEDIATELY, RELEASE, SHOWER, SOMETHING FOR YOU, STOLEN, STORY, STUFF, SWIMMINGPOOL, TALK, TEXTFILE, TOPSELLER, UNKNOWN, WARNING or WEBSITE.
First file extension: DOC, HTM, RTF or TXT.
Second file extension: COM, EXE, PIF or SCR. On some ocassions, the attached file only has one of these executable extensions.
This worm can also be sent in a file compressed in a ZIP format.
The following are only some examples: ABOUTYOU.DOC.EXE, DOCUMENT.RTF.COM, WEBSITE.SCR, STUFF.ZIP, etc.
In addition, in order to trick the user into thinking that the attached file is completely harmless, it has the same icon as a Word document.
The computer is affected when the attached file is run.
Netsky.B searches for e-mail addresses in files that have the following extensions ADB, ASP, DBX, DOC, EML, HTM, HTML, MSG, OFT, PHP, PL, RTF, SHT, TBB, TXT, UIN, VBS and WAB.
Netsky.B sends itself out to all the addresses it has gathered, using its own SMTP engine. In order to obtain the SMTP server, it makes a DNS query to the mail domain of the affected user. It uses the IP address 217.5.100.1 to make DNS queries.
Netsky.B follows the routine below:
It creates copies of itself in directories with a name that contains the text strings share or sharing, in the hard drives C: through Z:. It uses the following file names, among others:
By doing this, it attempts to copy itself to the shared directories of P2P file sharing programs.
Other users these programs can access the shared directories and download the files to their computers, thinking that they are useful computer programs, information, pictures, etc. However, these users will actually download a copy of the worm.
When the downloaded file is run, these computers will be affected by Netsky.B.
Netsky.B attempts to copy itself to the hard drives C: to Z:, excepting those which belong to CD-ROM drives. The hard drives it copies to include mapped network drives. These copies can be compressed in a ZIP format.
Removal tool and instruction:
Download removal tool from BitDefender.com
