Netsky.B spoofs the From address on the email it sends. Doing so can result in a large number of erroneous alert messages from various antivirus vendors. These alerts not only contribute to the overall worm traffic, but sometimes can contain actual copies of the infected email and attachment. Users who receive these alerts are at risk of infection should they open the attachment to determine what email was allegedly blocked. The act of spoofing the From address can also cause perfectly innocent people to be accused of sending the worm. Ironically, the one person least likely to be infected is the person whose name appears in the From field.
The attachment name may employ a double extension ruse that could trick users who do not have file extension viewing enabled. (By default, Windows disables file extension viewing. Visit the File Extension center for steps on enabling file extension viewing). Netsky.B randomly selects its first (false) extension: DOC, RTF, or HTM. The second (actual) extension will be PIF, COM, SCR or EXE. Netsky.B may also send itself as a ZIP file.
The attachment name is selected randomly from a long list of possible options.
The Subject can be any one of the following:
unknown
fake
stolen
information
warning
something for you
read it immediately
hello
The message body is randomly composed from a long list of various options.
Netsky.B drops a copy of itself to the Windows folder as services.exe and adds the following registry key value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
service="C:\Windows\services.exe -serv"
(where C:\Windows\ signifies the name of the local systems Windows
directory).
Netsky.B harvests email addresses from local and mapped drives from files with the following extensions: MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML.
Netsky.B tries to copy itself into any local or mapped drive from C:\ to Z:\ and tries to drop a copy of itself into any folders containing "share" or "sharing" in their foldername. The filenames used to copy itself are:
angels.pif
cool screensaver.scr
dictionary.doc.exe
dolly_buster.jpg.pif
doom2.doc.pif
e-book.archive.doc.exe
e.book.doc.exe
eminem - lick my pussy.mp3.pif
hardcore porn.jpg.exe
how to hack.doc.exe
matrix.scr
max payne 2.crack.exe
nero.7.exe
office_crack.exe
photoshop 9 crack.exe
porno.scr
programming basics.doc.exe
rfc compilation.doc.exe
serial.txt.exe
sex sex sex sex.doc.exe
strippoker.exe
virii.scr
win longhorn.doc.exe
winxp_crack.exe
Manually removing the worm
To manually remove the worm, first delete any copies of dropped by Netsky.B, then delete the registry edit made by the worm and reboot the system.
