Summary

NetSky.X worm was discovered on April 20th, 2004.

This variant is extremely close to the latest NetSky variants. It shares up to approximately 86% of the code and features in common with NetSky.U.

Netsky.X sends messages in several different languages: English, Swedish, Finnish, Polish, Norwegian, Portuguese, Italian, French, German and possibly the language of some small island called Turks and Caicos, located in the Atlantic ocean. In many cases the messages are composed incorrectly suggesting that the worm's author did not ask native speakers for translation or used an on-line translation service like Babel Fish.

Update on April 23rd, 2004

It looks like the Netsky's author mistyped the domain suffix for Turkey - he put '.tc' instead of '.tr'. We came to that conclusion after verifying that the text that is sent to addresses in .tc domain is in Turkish (word by word translation from dictionary).

Disinfection

F-Secure provides the special disinfection utility to eliminate Netsky.X worm infection. You can download this utility from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.europe.f-secure.com/tools/f-netsky.jar

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar

Additional Details

The worm's file is a PE executable 26112 bytes long packed with PE-Patch and TeLock file compressors.

Some of the worm's text strings are scrambled using the same algorithm as all the other variants.

Installation to system

Upon execution NetSky.X copies itself as FirewalSrv.exe file to Windows folder and adds a startup key for this file into System Registry:

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "FirewallSvr" = "%WinDir%\FirewallSvr.exe"

where %WinDir% represents Windows folder name.

Spreading in e-mail

Before spreading in e-mail the worm collects e-mail addresses. It scans all files on all drives from C: to Z: except CD-ROM drives. If any file with the following extensions is found, the worm opens it and searches for e-mail addresses there:

 .eml
 .txt
 .php
 .cfg
 .mbx
 .mdx
 .asp
 .wab
 .doc
 .vbs
 .rtf
 .uin
 .shtm
 .cgi
 .dhtm
 .adb
 .tbb
 .dbx
 .pl
 .htm
 .html
 .sht
 .oft
 .msg
 .ods
 .stm
 .xls
 .jsp
 .wsh
 .xml
 .mht
 .mmf
 .nch
 .ppt

The worm composes two different types of messages. According to whether the destination address is one of the following domains:

 .tc
 .se
 .fi
 .pl
 .no
 .pt
 .it
 .fr
 .de
 .xx

It will compose messages in the corresponding language, choosing from the following parts.

Subjects chosen from:

 Re: belge
 Re: dokumenten
 Re: dokumentoida
 Re: udokumentowac
 Re: dokumentet
 Re: original
 Re: documento
 Re: dokument
 Re: document

Bodies chosen from:

 mutlu etmek okumak belgili tanimlik belge.
 Behaga läsa dokumenten.
 Haluta kuulua dokumentoida.
 Podobac sie przeczytac ten udokumentowac.
 Behage lese dokumentet.
 Leia por favor o original.
 Legga prego il documento.
 Veuillez lire le document.
 Bitte lesen Sie das Dokument.
 Please read the document.

Attachment filename:

 belge.pif
 dokumenten.pif
 dokumentoida.pif
 udokumentowac.pif
 dokumentet.pif
 original.pif
 documento.pif
 dokument.pif
 document.pif

Payload

Netsky.X has a payload. It performs a DoS (Denial of Service) attack on the following websites from 28th to 30rd of April 2004:

 www.nibis.de
 www.medinfo.ufl.edu
 www.educa.ch

Detection

Detection of NetSky.X worm was published on April 20th, 2004 in the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]
Version=2004-04-20_02

Technical Details: Alexey Podrezov & Ero Carrera, April 20th, 2004;

Description Updated: Alexey Podrezov, April 28th, 2004;