Netsky.D worm

Virus description

Netsky.D is a mass-mailing email worm that removes registry edits made by certain other worms, including MyDoom.A, MyDoom.B, Mimail.T, and Netsky.A. According to Adrian Gostin, BitDefender virus researcher, Netsky.D "is also programmed to play random sounds into the PC speaker of infected machines on the 2nd of March, between six and nine o' clock in the morning local time." Unlike Netsky.C, Netsky.D no longer enumerates via mapped network drives.

Netsky.D harvests email addresses from .adb, .asp, .cgi, .dbx, .dhtm, .doc, .eml, .htm, .oft, .php, .pl, .rtf, sht, .shtm, .msg, .tbb, .txt, .uin, .vbs, and .wab files found on drives C through Z, with the exception of CD-ROM drives.

Netsky.D uses an SMTP mailing routine similar to that of Sobig.F and MyDoom.A, using its own SMTP engine and querying the DNS server for the MX record, then connecting directly to the MTA of the targeted domain to send itself to recipients at that domain. The email From is also spoofed.

Netsky.D avoids sending itself to addresses that contain abuse, fbi, orton, f-pro, aspersky, cafee, orman, itdefender, f-secur, avp, skynet, spam, messagelabs, ymantec, antivi, or icrosoft.

The email composed by Netsky.D has the following characteristics:

SUBJECT:

Re: Hello
Re: Hi
Re: Thanks!
Re: Document
Re: Message
Re: Here
Re: Details
Re: Your details
Re: Approved
Re: Your document
Re: Your text
Re: Excel file
Re: Word file
Re: My details
Re: Your music
Re: Your bill
Re: Your letter
Re: Document
Re: Your website
Re: Your product
Re: Your document
Re: Your software
Re: Your archive
Re: Your picture
Re: Here is the document

BODY:

Here is the file.
Your file is attached.
Your document is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.

ATTACHMENT:

yours.pif
your_text.pif
your_bill.pif
mp3music.pif
document.pif
my_details.pif
your_file.pif
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_details.pif
document_word.pif
all_document.pif
application.pif
your_picture.pif
document_excel.pif
document_4351.pif
document_full.pif
message_part2.pif
your_document.pif
message_details.pif

Similar to Netsky.C, Netsky.D copies itself as WINLOGON.EXE to the Windows folder. The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename WINLOGON.EXE. (Note that a valid WINLOGON.EXE exists in the Windows\System32 directory). Netsky.D also modifies the system registry to load when Windows is started:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"ICQ Net" = C:\Windows\WINLOGON.EXE -stealth

Netsky.D also removes several registry edits associated with various other malware:

From HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Netsky.D removes any of the following:

au.exe
d3dupdate.exe
Explorer
KasperskyAv
OLE
Taskmon
DELETE ME

From HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netsky.D removes any of the following:

Explorer
KasperskyAv
msgsvr32
Sentry
service
system
Taskmon

Netsky.D also deletes the value "system" from the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices key and deletes the following key as well:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Netsky.D also makes outgoing DNS queries to a series of hard-coded IP addresses.

Also see:

• Netsky.C worm description
• Netsky.B worm description