Netsky.Q up to its old tricks

A new variant of Netsky seems more determined than ever to remove infections left behind by certain other worms. The new variant, Netsky.Q, was first discovered on March 29, 2004. As with many of the earlier Netsky variants, Netsky.Q avoids sending itself to addresses associated with a wide range of antivirus vendors.

Using its own SMTP engine to spread, Netsky.Q harvests email addresses from various files found on the infected user's system, and uses those addresses in both the From and To field of the email. The worm email may exploit MS01-020, a malformed MIME header flaw that can allow attachments to be executed automatically on unpatched systems.

Netsky.Q attempts to remove registry edits made by other worms, particularly those of the Bagle worm, and including one left by DoomHunter, a worm that tried to remove the MyDoom worm from impacted systems.

On the 30th of March 2004, at 5:11 a.m. local time, Netsky.Q begins making a beeping noise. On the 8th through 11th of April 2004, Netsky.Q attempts a DoS attach against several websites:

www.edonkey2000.com
www.kazaa.com
www.emule-project.net
www.cracks.am
www.cracks.st

Netsky.Q copies itself to the Windows directory as SysMonXP.exe and modifies the HKLM...\run key in order to launch when Windows is restarted:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SysMonXP = "C:\Windows\SysMonXP.exe"

Netsky.Q email characteristics

Subject:

Deliver Mail
Delivered Message
Delivery
Delivery Bot
Delivery Error
Delivery Failed
Delivery Failure
Error
Failed
Failure
Mail Delivery failure
Mail Delivery System
Mail System
Server Error
Status
Unknown Exception

First part of body:

Delivery Agent - Translation failed
Delivery Failure - Invalid mail specification
Mail Delivery - This mail couldn't be displayed
Mail Delivery Error - This mail contains unicode characters
Mail Delivery Failed - This mail couldn't be represented
Mail Delivery Failure - This mail couldn't be shown.
Mail Delivery System - This mail contains binary characters
Mail Transaction Failed - This mail couldn't be converted

Second part of body:

Note: Received message has been sent as a binary file.
Modified message has been sent as a binary attachment.
Received message has been sent as an encoded attachment.
Translated message has been attached.
Message has been sent as a binary attachment.
Received message has been attached.
Partial message is available and has been sent as a binary attachment.
The message has been sent as a binary attachment.

Attachment name:

data
mail
msg
message

The email attachment name will be followed by random numbers, and will have one of the following extensions: exe, pif, scr, or zip.

Removing the worm As with any infection, the best removal can be accomplished using up-to-date antivirus software. To manually remove Netsky.Q, use the Windows Task Manager to stop the SysMonXP process, delete the value:

SysMonXP = "C:\Windows\SysMonXP.exe"

from the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and delete SysMonXP.exe from the Windows directory.

Also see:

• A fist full of Bagles
• War of the worms
• Netsky.B description
• Netsky.C description
• Netsky.D description
• Netsky.L - an interloper?
• Netsky.P description