CERT-In Incident Note CIIN-2004-04

W32/Netsky.c@MM worm

Original Issue Date: February 27, 2004

Severity: High

Type : Worm

Aliases:   I-Worm.Moodown.c, Win32/Netsky.C, W32.Netsky-C@mm, WORM_NETSKY.C

Systems Affected:

• Microsoft Windows 2000
• Microsoft Windows XP
• Microsoft Windows NT
• Microsoft Windows 9X
• Microsoft Windows ME

Overview

• Spreads over e-mail and mapped network drivers
• Installs a copy of itself in the %Windir%\Winlogon.exe
• Sends itself to email addresses found in files whose suffix contains one of the following extensions: .adb, .asp, .cgi, .dbx, .dhtm, .doc, .eml, .htm, .html, .msg, .oft, .php, .pl, .rtf, .sht, .shtm, .tbb, .txt, .uin, .vbs, and .wab This worm also searches drives C through Y for the folder names containing "Shar" and then copies itself to those folders..
• The Subject, Body, and email attachment vary.

Impact

The Worm is clogging network traffic. Because this worm spreads via e-mail and networked shared files and could congest e-mail servers with excess traffic

Description

When W32.Netsky.C@mm runs, it does the following:

1. Creates a mutex named "[SkyNet.cz]SystemsMutex." This mutex allows only one instance of the worm to execute.

2. Copies itself as %Windir%\Winlogon.exe.

3. The email has the following characteristics:

From: (Spoofed)

Subject : Common Subject lines (The Subject can also be a blank line.)

• Delivery Failed
• Status
• report
• question
• trust me
• hey
• Re: excuse me
• read it immediatelly
• hi
• Re: does it?
• important
• hello
• dear
• Re: unknown
• info

Message: (One of the following, but could be blank)

• <Deliver Error>
• <Message Error>
• <Server Error>
• what means that?
• help attached
• <...>
• ok...
• that is interesting...
• i wait for your comment about it.
• such as yours?
• read the details.
• here is the document.
• *lol*
• read it immediately!
• i found that about you!
• your hero in the picture?

Attachment:
W32.Netsky.C@mm may create a .zip file as the attachment randomly selecting one of the Attachment Names below.

Attachment Name: (One of the following)

• document
• associal
• msg
• yours
• doc
• wife
• talk
• message
• response
• creditcard
• description

Extensions:
Common extensions noticed

• .txt
• .rtf
• .doc
• .htm

Double extensions may also be followed with the following extensions:

• .exe
• .scr
• .com
• .pif

4. Creates .zip files in the %Windir% folder, which contain copies of the worm. The names of these files match the above Attachment Names.

Symptoms

• Existence of unknown files and registry changes
• Unexpected network traffic

Workarounds

• For an additional layer of protection, users are advised to deploy personal firewall on their systems. This helps in stopping the spread of the worm to other systems by blocking its ability to use e-mail.
• Update antivirus software.

Solution

Removal Instructions:

1. Reboot the system into Safe Mode.
   
2. Delete the file WINLOGON.EXE  from your WINDOWS directory (typically c:\windows or c:\winnt)
   NOTE: Do not delete the file WINLOGON.EXE from the WINDOWS SYSTEM directory as that is a valid Windows system file.
   
3. Edit the registry
   • Delete the "ICQ Net" value from
     • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
       Windows\CurrentVersion\Run
     • HKEY_CURRENT_USERS\SOFTWARE\Microsoft\
       Windows\CurrentVersion\Run
       
4. Reboot the system into Default Mode

Suggestions:

• Always run and maintain an anti-virus software
• Do not run programs of unknown origin

Further refer to CERT-In Security Guideline on Anti-Virus Policy & Best Practices.

References

Antivirus Vendors

• McAfee
• Trend Micro
• Symantec
• F-Secure

Disclaimer
The information provided here-in is on "as is" basis, without warranty of any kind.

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003