HOME > INCIDENT NOTES


   INCIDENT NOTES

CERT-In Incident Note CIIN-2004-03

W32/Netsky.b@MM worm

Original Issue Date: February 19, 2004

Severity: Medium

Type : Worm

Aliases:   W32/Netsky.b@MM, W32/Netsky.B.worm, Moodown.B, I-Worm.Moodown.b

Systems Affected:

  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows NT
  • Microsoft Windows 9X
  • Microsoft Windows ME

Overview

  • Spreads over e-mail and mapped network drivers
  • Installs a copy of itself in the %Windir%\services.exe
  • Collects target email addresses from files with specific extensions ( adb,.asp,.dbx,.doc,.eml,.htm, .msg, .wab, etc.) on the local system
  • Copy itself to particularly-named files within local drives (non-CDROM) or mapped network shares.
  • Also attempts to deactivate W32/Mydoom.a@MM , W32/Mydoom.b@MM and Mimail.T worms

Impact

The Worm is clogging network traffic. W32/Netsky.B may cause denial-of-service in networks where (a) multiple systems are infected, or (b) large numbers of infected e-mails are received

Description

The worm spreads via e-mail and peer-to-peer file sharing networks. It arrives as an e-mail message with the following details:

From: (forged address taken from infected system) or skynet@skynet.de   
Subject: (one of the following)

  • fake
  • hello
  • hi
  • immediately
  • information
  • warning
  • you

Body : ( The body may contain a short random message )

Attachment: The attachment may have random filename with a double-extension of one of the following combinations

  • .txt
  • .rtf
  • .doc
  • .htm

and followed by:

  • .com
  • .pif
  • .scr
  • .exe

The worm may also arrive in the form of a .zip archive.

Symptoms

  • Existence of unknown files and registry changes
  • Unexpected network traffic

Workarounds

  • For an additional layer of protection, users are advised to deploy personal firewall on their systems. This helps in stopping the spread of the worm to other systems by blocking its ability to use e-mail.
  • Update antivirus software.

Solution

Removal Instructions:

(a) Edit the registry and delete the following:

  1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run
  2. Delete the entry:
    service = %Windows%\services.exe -serv
  3. HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-
    00AA005127ED}
  4. Add a new subkey named: InProcServer32
  5. Change the value to: %System%\WEBCHECK.DLL

(b)  Reboot the system

Suggestions:

  • Always run and maintain an anti-virus software
  • Do not run programs of unknown origin

Further refer to CERT-In Security Guideline on Anti-Virus Policy & Best Practices.

References

Antivirus Vendors

Disclaimer
The information provided here-in is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003