|Place of Origin||Waffensen, Niedersachsen, Germany|
|File Type(s)||.exe, .pif, .scr, .zip|
|Reported Costs||$31.3 billion|
Netsky is a worm notable for the fact that it has many variants and was very successful at spreading. It is also notable for its P variant staying at number 1 of many lists of prevalent viruses and worms for two years, with Netsky.D following close behind. Some of its variants deleted other worms, making it a helper or nematode. Its creator was also behind the Sasser worm.
Netsky can arrive in an email with six possible spoofed sender lines:
- Ebay Auctions <moc.yabe|rednopser#moc.yabe|rednopser>
- Yahoo Auctions <moc.oohay|snoitcua#moc.oohay|snoitcua>
- Amazon automail <moc.nozama|rednopser#moc.nozama|rednopser>
- MSN Auctions <moc.nsm|snoitcua#moc.nsm|snoitcua>
- QXL Auctions <moc.lxq|rednopser#moc.lxq|rednopser>
- EBay Auctions <moc.yabe|rednopser#moc.yabe|rednopser>
The subject line reads, "Auction successful!". The message says:
#----------------- message was sent by automail agent ------------------# Congratulations! You were successful in the auction. Auction ID :<3 sets of 4 random numbers>-A Product ID :<3 sets of 4 random numbers>-P A detailed description about the product and the bill are attached to this mail. Please contact the seller immediately. Thank you!
The attachment could be one of the following:
When executed, the worm creates a mutex that keeps more than one copy of the worm from running named "AdmMoodownJKIS003". It copies itself to the Windows folder as Services.exe.
Netsky then adds the registry value "Service = (Windows folder)\services.exe -serv" to the Local Machine run key, which causes the worm to run when Windows starts. It also deletes the values Taskmon and Explorer from that registry key, as well as the Current user version of that key (These values are set there by the Mydoom worm). It also deletes another Mydoom-created key. It also deletes KasperskyAV and System from the local machine run key.
It then copies itself to the Windows or WINNT folder as one of the filenames used for the attachment in a .zip file (from prod_info_55761.rtf.exe.zip to prod_info_54433.doc.exe.zip).
Netsky searches drives C through Z for folders with names containing "share" or "sharing" and copies itself as one of the following names:
- sex sex sex sex.doc.exe
- rfc compilation.doc.exe
- win longhorn.doc.exe
- programming basics.doc.exe
- how to hack.doc.exe
- max payne 2.crack.exe
- eminem - lick my pussy.mp3.pif
- cool screensaver.scr
- hardcore porn.jpg.exe
- photoshop 9 crack.exe
The worm searches for email addresses in files with the following extensions:
The worm has its own SMTP engine to mass-mail itself.
The very successful Netsky.P variant has the ability to infect a computer from the preview pane, similar to Nimda and it deletes registry keys that Mydoom and its variants use to infect and deliver their payloads.
Netsky was the most popular worm for over 2 years. The original and most if not all of its variants have a beneficial, rather than destructive payload. A British security consultant company, mi2g claimed that the worm caused between $25.6 billion and $31.3 billion in damage (this company has been widely criticised for its ridiculously high estimates and scaremongering).
The fact that Netsky has been so successful at spreading is somewhat of a mystery to many anti-malware experts, because of its minimalist social engineering tactics.
Jaschan said that he was trying to develop a worm that would delete other worms, notably Mydoom and Beagle. As some variants of Netsky delete registry key values and other things that those worms use to perform their malicious activities, this is not an outrageous claim. Netsky started a "Worm War" between itself and Mydoom and Beagle. Netsky.J was to be the last version of Netsky, but other variants did follow.
Netsky and its variants were at the top of the virus/worm charts for two years. When it began spreading in Spring of 2004, it had tough competition from Beagle, with Mydoom close behind. It was finally beaten by Warezov, also known as Stration, in October of 2006.
Yana Liu. Symantec.com, W32.Netsky@mm
INQUIRER newsdesk. The Inquirer Net's top malware targets Vista. 2006.11.30
John Leyden. The Register, "Netsky Tops Virus Charts by a Country Mile". 2004.04.01
-. -, NetSky author signs off. 2003.03.10
-. -, "German Police Arrest Sasser Worm Suspect". 2004.05.10
David Berlind. ZDNet, Ballmer seeing last 12 months through rose-colored glasses?. 2004.10.04